Thank you, Madam Chair, and honourable members.
My name is John Lawford, and I am executive director and general counsel at the Public Interest Advocacy Centre here in Ottawa.
PIAC is a federally incorporated non-profit and a registered charity that provides legal and research services on behalf of vulnerable consumers' interests concerning important public services.
PIAC regularly participates in proceedings before the CRTC and represents consumer interests in retail banking and payment systems with the FCAC, the Department of Finance and the OBSI.
Consumer fraud is a hot potato. Companies avoid it because they do not want the risk of liability for the fraud. Police have insufficient resources to address its overwhelming size and daunting technical complexity, which changes with each vector. Regulators like the CRTC define their jurisdiction narrowly to avoid being responsible for the problem, viewing it as an operational black hole.
On an individual level, fraud is humiliating and often devastating. We naturally avoid this issue like we avoid discussing poverty because we recoil from the obvious injustice and pain that is inflicted on the victims. Avoiding a problem never makes it better, though, so we commend this committee for insisting that we take a look at one aspect of fraud in today's committee hearing, phone fraud.
The statistics we do have about the scope of the “fraud problem” are so fragmentary as to themselves pose a problem for dealing with the problem. There is no definitive and official source for them. We have recent data from the Canadian Anti-Fraud Centre that show about 46,000 reports were made in 2019, with 19,000 victims and a loss of around $100 million.
The calls to CAFC largely covered fraud committed over the phone and Internet. However, the FCAC, for example, cited 15 million fraud victims losing $450 million in 2007, likely including other types of fraud, including in person, but more reliable or current numbers are scarce. The CRTC, for example, only has numbers of complaints made in relation to the do-not-call list and not specific fraud numbers.
However, PIAC believes, based on its work in the sector, that the scope of fraud committed by telephone to be one to two orders of magnitude higher than CAFC numbers. That's voice and text fraud, in part using regular phone numbers, but leaving aside Internet-based scams you might get on your mobile phone.
It is also our belief, based on direct contact with consumers and with seniors and low-income groups such as the National Pensioners Federation and ACORN Canada, that phone fraud both specifically targets and inordinately affects seniors and low-income Canadians, some of whom may be newer Canadians. They can least afford to suffer a fraud.
I will not be addressing number porting or SIM swap fraud. It's a recent concern that requires urgent attention, though. Shortly you will hear from Randall Baran-Chong, who is both a victim of this fraud and an eloquent advocate for fixing this devastating hack. I will leave it to him to describe. However, I do note that PIAC has called for an open public hearing at the CRTC with consumer groups, wireless users, CWTA and major providers. However, so far the CRTC and CWTA have refused to have a public inquiry.
Instead, I want to talk today about good old phone fraud, getting a victim to answer their phone, home or mobile, and engage in a conversation with a fraudster which culminates ultimately in the victim transferring money to the fraudster or revealing so much personal information that the fraudster can then transfer money himself, without the victim's knowledge. This sort of fraud can be catalyzed by the spoofing of numbers or call display names to mislead consumers into thinking they are receiving a call from a legitimate agency such as a government department or a local police office number.
However, what makes for really good old phone fraud is volume and automation. The more calls made, and the more efficiently made from the scammer's viewpoint, the more likely it is to ensnare a victim.
I can tell you that billions of calls are made a year to Canadian numbers, and at least tens of millions of those calls are stage one fraud robocalls. Here's how it works. A program written by a fraudster calls thousands of phones in an hour usually with a spoofed originating phone number. No people are involved. Now multiply this by many programs, computers and other scammers doing the same thing and targeting multiple area codes and you get the idea.
In stage two, however, the potential victim answers and does not hang up but listens to the recorded message, possibly because they trust the source, fear the source or are simply lonely and looking for some human contact. If the victim presses “1” to hear the message, a live fraudster walks the victim through the fraud to the point of money transfer.
Robocalls are just fishing lines flung out to the sea of phone-owning humanity. The secondary calls with a live agent are vastly smaller in number. This smaller number is still very large; we just don’t know how large. That is where the fraud takes place.
What's new? What's changed in this area lately to give you the impression that we have a phone fraud epidemic? “Epidemic” is a bad word today. Why are more and more Canadians, especially seniors and low-income Canadians, falling victim to phone fraud?
The answer is that the phone system has been technologically democratized. In the past, to dial multiple numbers, a knowledge of the phone company’s network software was required. This software allowed only a certain throughput of dialed numbers. Now almost the entire phone system runs on Internet protocol. This allows many millions of calls to be made to many millions of numbers and transmitted by a small number of computer operators.
While IP-based telephony has allowed new competitors and services, it has allowed fraud to balloon, in part due to the possibility of spoofing numbers with IP, which is harder than with the old software. The bottom line, so to speak, is that with more fishing lines come more hooked fish.
The phone industry, especially legacy carriers such as Bell Canada and Telus, know this reality all too well, as does the CRTC, which at least views nuisance robocalls as within its telemarketing jurisdiction. It deals, at least in part, with numbers on the do-not-call list. They are all working together on the spoofing part. The CRTC already requires them to block obviously spoofed numbers such as 000-000-0000. They are all working on implementing the STIR/SHAKEN protocol you just heard about, which really works only on entirely IP-based calls. All it really does is provide a confidence rating for each call. That is, it allows the recipient software to automatically block these likely robocalls. Both of these measures will help, but they will not totally stem the tide.
However, there are also new network-level blocking technologies, like those developed by Bell Canada, which has now applied to the CRTC to allow this. They claim to use AI-based algorithms to identify likely robocall sources, along with some confidential extra fail-safes that they have promised, and then to block all such suspicious calls that are transiting Bell’s network. Bell's network is vast in Canada.
While this does raise concerns from other carriers that must use Bell’s network to connect calls and it concerns legitimate customers who may have their calls illegitimately blocked, it does attempt to address the volume aspect of our problem. It attempts to use automation against automation. We believe it is likely, on balance, a positive development, but will it be sold to us or offered for free?
Last, what is missing to combat the actual content of fraud calls is more authority in this area for the CRTC. We suggest looking at the U.S. Telephone Consumer Protection Act, and a dedicated anti-phone fraud act, for example, one more akin to the Telemarketing Consumer Fraud and Abuse Prevention Act in the United States. In this regard, we also noticed that the broadcasting and telecommunications legislative review report seems to have missed a chance to recommend amending the Telecommunications Act to give the CRTC more authority to deal with fraud calls or to recommend a dedicated anti-phone fraud act, whether administered by the CRTC or perhaps by the new data commissioner.
We also need a better, more centralized, comprehensive and reliable set of phone fraud and Internet fraud-related statistics and reports to be gathered and publicly released at regular intervals. Finally, we need continual oversight and democratic encouragement by Parliament of work on phone fraud. It is too important to allow this game of hot potato to be played between regulators, companies and the police.
Thank you very much.