Industry Committee on Oct. 3rd, 2022

Good morning.

Mr. Chair and members of the committee, it is my honour to join you today to discuss the prevalence of fraudulent calls and other scams in Canada, and the efforts undertaken by the RCMP since we last spoke to you on this topic in May 2020.

I'm Director General Chris Lynam. I'm responsible for the national cybercrime coordination unit—the NC3—and the Canadian anti-fraud centre (CAFC) at the RCMP. Joining me today are Sergeant Guy-Paul Larocque, acting officer in charge of the CAFC, and Superintendent Denis Beaudoin, director of financial crimes within federal policing criminal operations.

Before discussing fraudulent calls and other scams impacting Canadians, I would like to briefly outline the mandate of the CAFC and the NC3. First, the CAFC includes a long-standing partnership among the RCMP, Ontario Provincial Police and Competition Bureau Canada. The CAFC works closely with Canadian and international law enforcement partners to combat mass-marketing fraud and other types of fraud, including fraudulent calls.

In 2021, the CAFC aligned its operations with the NC3, another national police service at the RCMP focused on combatting cybercrime. Whereas the CAFC focuses on fraud and online scams, the NC3 focuses more on combatting technology-as-target cybercrime, such as ransomware, data breaches and other cyber-intrusions. The CAFC and the NC3 work closely, given the strong links between fraud and cybercrime, to provide highly coordinated services to the Canadian and international law enforcement communities.

Since our last committee appearance in 2020, the CAFC and the NC3 have seen a significant increase in fraudulent activity in Canada. In 2021, the CAFC received reports of $379 million in fraud losses from victims—a historic year in reported fraud losses and a 130% increase compared to the previous year. At the same time, the CAFC estimates that only 5% to 10% of victims actually report fraud to law enforcement.

Of the reported fraud losses among victims in 2021, more than 70% were cyber-enabled, meaning that the fraudulent activity was committed via the Internet or related digital platforms, such as email or social media. These trends and the convergence of cyber-enabled fraud with other cybercrime activity underscore the importance of collaboration between the CAFC and the NC3, and the need for Canadian law enforcement to continually adapt and keep pace.

Despite the rise in online scams, Canadians continue to be targeted by fraudulent calls at the same time.

In 2021, the CAFC received over 32,000 reports where the victim was contacted by phone by the fraudster. Fraudulent phone calls can include attempts from criminals claiming to be law enforcement, the Canada Revenue Agency, banks and other financial institutions, among other types of fraud.

Make no mistake. It is incredibly challenging to investigate and apprehend fraudsters and cybercriminals. Oftentimes, we are dealing with thousands of victims, multiple policing jurisdictions, and cybercrime infrastructure and digital evidence in foreign countries.

However, these challenges also acted as a catalyst for Canadian law enforcement. We adapted, accelerated our efforts to collaborate with like-minded partners, and took on more of a holistic approach to combatting fraud and cybercrime.

Various RCMP programs continue to play key roles in several international operations against cybercrime and fraud. However, we also recognize that fraud, in all its forms, is a pervasive and enduring challenge, and we cannot simply arrest our way out of this problem. Our response to fraud requires broader efforts.

For example, in some cases, and where possible, we work closely with domestic and international partners to assist with the recovery of victim funds attributable to fraud. In 2021 the CAFC assisted in 36 instances of freezing or recovering funds, totalling approximately $3.4 million.

Another key aspect to combatting fraud and cybercrime is prevention, outreach and awareness-building. It is a happy coincidence that I am here and able to speak to you in October, cybersecurity awareness month. A key theme to our prevention activities this month includes awareness and prevention material about phishing techniques used by fraudsters. Our prevention efforts are ongoing throughout the year, with another notable month in March focused on fraud prevention. Last year for fraud prevention month we focused on outreach and awareness against impersonation scams.

In conclusion, our efforts over the past few years have been significant—insufficient but significant—and we remain committed to finding new ways to protect Canadians and reduce victimization associated with fraud and cybercrime.

I would like to thank the committee for the opportunity to speak with you today. We welcome any questions.

It may not differ that greatly from other types of investigations. If the suspects are in Canada, we're going to utilize the vast tools at our disposal, including production orders, search warrants and other tools. When people are located outside Canada, then we need partnerships and we need to request assistance from foreign governments. Oftentimes, that creates delay. That's the main difference.

There are other differences, but I think that would be the main difference. If you are seeking evidence located outside of Canada, then you're going to need assistance from a foreign jurisdiction.

Well, I'm sure you would understand that it's very dependent on which country you need assistance from. We have a very strong relationship with countries that are close allies, whereas with other countries it's more difficult. Of course, any type of assistance for evidence goes through the Department of Justice and then through the justice department of the foreign jurisdiction.

There is a process in place, but sometimes we're not able to get the evidence we seek due to a lack of collaboration or willingness from the other country to collaborate. When we talk about complexity, that's definitely one that is at the forefront.

I'll answer that, although not necessarily about new frameworks. I can talk about some of the measures that exist now.

As Superintendent Beaudoin mentioned, there's both the domestic piece and then the international co-operation piece. That's a big piece of what the mandate of the CAFC and NC3 is about. It's about working with law enforcement partners domestically and then linking those efforts, where possible, to international efforts. That could be bilaterally with other countries and also multilaterally.

A good example in the cybercrime space is that we work quite a bit with the European Cybercrime Centre. They have a specific group, the joint cybercrime action task force, of 18 member states of Europol plus some third parties—Canada, the U.S. and Australia. Out of the Europol headquarters, they are in contact daily, trying to work these international investigations together.

That is a great example of how collaboration at the multilateral level can lead to further investigations and, if not to arresting or prosecuting cybercriminals and fraudsters, to going after their infrastructure. There have been quite a few successes on that front.

I'm not sure I would recommend countries. I think we would continue to try to deepen the relationships we have with some of the key ones that are working together, as I mentioned, a lot of the European countries and our Five Eyes allies, the U.S., U.K., New Zealand and Australia. Those are the ones we are really working closely with on a lot of these international files.

This one is difficult to draw a specific number to because, for the vast majority of scam operations, they will try to work over many different jurisdictions. The way criminals operate in that sphere is that they will operate from point A, likely targeting a victim in point B, and then move the money to point C. We often see that when we look at data from the anti-fraud centre.

To say specifically what it is operating from the country.... We're aware there are scam operations originating from the country, but there are also many scam operations targeting Canadians that come from outside, from all over the world. It can be difficult to give a specific number, but what I can tell you is that Canadians are really being targeted by scam operations. The losses we see with reports at the anti-fraud centre speak to that.

Part of the challenge, as you mentioned, is that you're dealing with very highly adaptive people, and they are criminals. They can very easily pivot to adopt the newest technique or figure out what technique works. For example, they will watch what's happening in terms of an incident or a government-type rebate, and they will very quickly be able to figure out how to go and put that scam pitch out to Canadians.

They are adapting technology to enable that as well. As we talked about, we now think that over 70% of the activity is cyber-enabled at the same time. We're working with law enforcement across the country to help them either build or acquire software or share best practices in techniques. There are some things out there now that, if we keep training on them in terms of techniques and what have you, are going to make us better prepared.

It's a bit like they move the yardsticks and then we have to keep moving the yardsticks down the field as well.

We don't collect that in terms of the units represented here. I know that Statistics Canada releases regular crime stats on the prevalence of fraud and cybercrime. In some cases, that trend is increasing in the cyber-enabled. That has increased year to year.

One of the additional aspects is that we don't just focus on the arrests, charges or convictions. We try to take a holistic approach to reducing victimization. In some cases, that could be recovery efforts to help people freeze or recover their money, as I mentioned.

Other efforts are to work with different service providers, so if we come across infrastructure, web domains or websites that we think are being used by fraudsters, we reach out to those service providers to say that we think fraudsters are using this. They can then take action to take those offline and what have you.

We also focus a lot, as I mentioned, on the prevention side. We really focus on a holistic approach to tackling and reducing that level of victimization.

Sure. Actually, I might address one of your questions. I wouldn't want to leave the committee with the impression that police aren't heavily focused on investigating fraudsters and cybercriminals. The mandate of the CAFC and the NC3 is very much about enabling law enforcement agencies in Canada to do those investigations, and the federal policing part of the RCMP as well. There are many investigations under way. I wanted to point out that we don't just do that; we have other activities.

In terms of information sharing with the CRTC and other entities, we operate under what our authorities are in terms of sharing. There is some information we can share with the CRTC and vice versa. Almost any agency would say it can improve information sharing across the board and that would make things better, but there are many opportunities where we share now.

When it comes to private sector entities, like telecommunications companies and financial institutions, we have to be governed by how police operate. If we need information from the police, we often have to get a production order or other type of measure.

There are many opportunities or times when a bank will come to us as a victim and say, “We think we've been victimized,” or, “Some of our clients have been victimized.” There is regular communication, and we have talked about some of the outreach we do when we come across stuff that we think is impacting their clients.

Generally, yes, there is always scope for improved information sharing.

Obviously more of a regulatory-type argument or position is needed whereby CRTC and the Government of Canada have more of the mandate in terms of how regulated the telcos are or whether additional regulations are needed. I could say that from the RCMP and law enforcement perspectives, we have good relationships with telcos. We try to work with them as much as possible within our current authorities. I really can't comment on whether the government should regulate this sector further. We focus on enforcing the Criminal Code provisions.