Industry Committee on Oct. 3rd, 2022

Good morning.

Mr. Chair and members of the committee, it is my honour to join you today to discuss the prevalence of fraudulent calls and other scams in Canada, and the efforts undertaken by the RCMP since we last spoke to you on this topic in May 2020.

I'm Director General Chris Lynam. I'm responsible for the national cybercrime coordination unit—the NC3—and the Canadian anti-fraud centre (CAFC) at the RCMP. Joining me today are Sergeant Guy-Paul Larocque, acting officer in charge of the CAFC, and Superintendent Denis Beaudoin, director of financial crimes within federal policing criminal operations.

Before discussing fraudulent calls and other scams impacting Canadians, I would like to briefly outline the mandate of the CAFC and the NC3. First, the CAFC includes a long-standing partnership among the RCMP, Ontario Provincial Police and Competition Bureau Canada. The CAFC works closely with Canadian and international law enforcement partners to combat mass-marketing fraud and other types of fraud, including fraudulent calls.

In 2021, the CAFC aligned its operations with the NC3, another national police service at the RCMP focused on combatting cybercrime. Whereas the CAFC focuses on fraud and online scams, the NC3 focuses more on combatting technology-as-target cybercrime, such as ransomware, data breaches and other cyber-intrusions. The CAFC and the NC3 work closely, given the strong links between fraud and cybercrime, to provide highly coordinated services to the Canadian and international law enforcement communities.

Since our last committee appearance in 2020, the CAFC and the NC3 have seen a significant increase in fraudulent activity in Canada. In 2021, the CAFC received reports of $379 million in fraud losses from victims—a historic year in reported fraud losses and a 130% increase compared to the previous year. At the same time, the CAFC estimates that only 5% to 10% of victims actually report fraud to law enforcement.

Of the reported fraud losses among victims in 2021, more than 70% were cyber-enabled, meaning that the fraudulent activity was committed via the Internet or related digital platforms, such as email or social media. These trends and the convergence of cyber-enabled fraud with other cybercrime activity underscore the importance of collaboration between the CAFC and the NC3, and the need for Canadian law enforcement to continually adapt and keep pace.

Despite the rise in online scams, Canadians continue to be targeted by fraudulent calls at the same time.

In 2021, the CAFC received over 32,000 reports where the victim was contacted by phone by the fraudster. Fraudulent phone calls can include attempts from criminals claiming to be law enforcement, the Canada Revenue Agency, banks and other financial institutions, among other types of fraud.

Make no mistake. It is incredibly challenging to investigate and apprehend fraudsters and cybercriminals. Oftentimes, we are dealing with thousands of victims, multiple policing jurisdictions, and cybercrime infrastructure and digital evidence in foreign countries.

However, these challenges also acted as a catalyst for Canadian law enforcement. We adapted, accelerated our efforts to collaborate with like-minded partners, and took on more of a holistic approach to combatting fraud and cybercrime.

Various RCMP programs continue to play key roles in several international operations against cybercrime and fraud. However, we also recognize that fraud, in all its forms, is a pervasive and enduring challenge, and we cannot simply arrest our way out of this problem. Our response to fraud requires broader efforts.

For example, in some cases, and where possible, we work closely with domestic and international partners to assist with the recovery of victim funds attributable to fraud. In 2021 the CAFC assisted in 36 instances of freezing or recovering funds, totalling approximately $3.4 million.

Another key aspect to combatting fraud and cybercrime is prevention, outreach and awareness-building. It is a happy coincidence that I am here and able to speak to you in October, cybersecurity awareness month. A key theme to our prevention activities this month includes awareness and prevention material about phishing techniques used by fraudsters. Our prevention efforts are ongoing throughout the year, with another notable month in March focused on fraud prevention. Last year for fraud prevention month we focused on outreach and awareness against impersonation scams.

In conclusion, our efforts over the past few years have been significant—insufficient but significant—and we remain committed to finding new ways to protect Canadians and reduce victimization associated with fraud and cybercrime.

I would like to thank the committee for the opportunity to speak with you today. We welcome any questions.

It may not differ that greatly from other types of investigations. If the suspects are in Canada, we're going to utilize the vast tools at our disposal, including production orders, search warrants and other tools. When people are located outside Canada, then we need partnerships and we need to request assistance from foreign governments. Oftentimes, that creates delay. That's the main difference.

There are other differences, but I think that would be the main difference. If you are seeking evidence located outside of Canada, then you're going to need assistance from a foreign jurisdiction.

Well, I'm sure you would understand that it's very dependent on which country you need assistance from. We have a very strong relationship with countries that are close allies, whereas with other countries it's more difficult. Of course, any type of assistance for evidence goes through the Department of Justice and then through the justice department of the foreign jurisdiction.

There is a process in place, but sometimes we're not able to get the evidence we seek due to a lack of collaboration or willingness from the other country to collaborate. When we talk about complexity, that's definitely one that is at the forefront.

I'll answer that, although not necessarily about new frameworks. I can talk about some of the measures that exist now.

As Superintendent Beaudoin mentioned, there's both the domestic piece and then the international co-operation piece. That's a big piece of what the mandate of the CAFC and NC3 is about. It's about working with law enforcement partners domestically and then linking those efforts, where possible, to international efforts. That could be bilaterally with other countries and also multilaterally.

A good example in the cybercrime space is that we work quite a bit with the European Cybercrime Centre. They have a specific group, the joint cybercrime action task force, of 18 member states of Europol plus some third parties—Canada, the U.S. and Australia. Out of the Europol headquarters, they are in contact daily, trying to work these international investigations together.

That is a great example of how collaboration at the multilateral level can lead to further investigations and, if not to arresting or prosecuting cybercriminals and fraudsters, to going after their infrastructure. There have been quite a few successes on that front.

I'm not sure I would recommend countries. I think we would continue to try to deepen the relationships we have with some of the key ones that are working together, as I mentioned, a lot of the European countries and our Five Eyes allies, the U.S., U.K., New Zealand and Australia. Those are the ones we are really working closely with on a lot of these international files.

This one is difficult to draw a specific number to because, for the vast majority of scam operations, they will try to work over many different jurisdictions. The way criminals operate in that sphere is that they will operate from point A, likely targeting a victim in point B, and then move the money to point C. We often see that when we look at data from the anti-fraud centre.

To say specifically what it is operating from the country.... We're aware there are scam operations originating from the country, but there are also many scam operations targeting Canadians that come from outside, from all over the world. It can be difficult to give a specific number, but what I can tell you is that Canadians are really being targeted by scam operations. The losses we see with reports at the anti-fraud centre speak to that.

Part of the challenge, as you mentioned, is that you're dealing with very highly adaptive people, and they are criminals. They can very easily pivot to adopt the newest technique or figure out what technique works. For example, they will watch what's happening in terms of an incident or a government-type rebate, and they will very quickly be able to figure out how to go and put that scam pitch out to Canadians.

They are adapting technology to enable that as well. As we talked about, we now think that over 70% of the activity is cyber-enabled at the same time. We're working with law enforcement across the country to help them either build or acquire software or share best practices in techniques. There are some things out there now that, if we keep training on them in terms of techniques and what have you, are going to make us better prepared.

It's a bit like they move the yardsticks and then we have to keep moving the yardsticks down the field as well.

We don't collect that in terms of the units represented here. I know that Statistics Canada releases regular crime stats on the prevalence of fraud and cybercrime. In some cases, that trend is increasing in the cyber-enabled. That has increased year to year.

One of the additional aspects is that we don't just focus on the arrests, charges or convictions. We try to take a holistic approach to reducing victimization. In some cases, that could be recovery efforts to help people freeze or recover their money, as I mentioned.

Other efforts are to work with different service providers, so if we come across infrastructure, web domains or websites that we think are being used by fraudsters, we reach out to those service providers to say that we think fraudsters are using this. They can then take action to take those offline and what have you.

We also focus a lot, as I mentioned, on the prevention side. We really focus on a holistic approach to tackling and reducing that level of victimization.

Sure. Actually, I might address one of your questions. I wouldn't want to leave the committee with the impression that police aren't heavily focused on investigating fraudsters and cybercriminals. The mandate of the CAFC and the NC3 is very much about enabling law enforcement agencies in Canada to do those investigations, and the federal policing part of the RCMP as well. There are many investigations under way. I wanted to point out that we don't just do that; we have other activities.

In terms of information sharing with the CRTC and other entities, we operate under what our authorities are in terms of sharing. There is some information we can share with the CRTC and vice versa. Almost any agency would say it can improve information sharing across the board and that would make things better, but there are many opportunities where we share now.

When it comes to private sector entities, like telecommunications companies and financial institutions, we have to be governed by how police operate. If we need information from the police, we often have to get a production order or other type of measure.

There are many opportunities or times when a bank will come to us as a victim and say, “We think we've been victimized,” or, “Some of our clients have been victimized.” There is regular communication, and we have talked about some of the outreach we do when we come across stuff that we think is impacting their clients.

Generally, yes, there is always scope for improved information sharing.

Obviously more of a regulatory-type argument or position is needed whereby CRTC and the Government of Canada have more of the mandate in terms of how regulated the telcos are or whether additional regulations are needed. I could say that from the RCMP and law enforcement perspectives, we have good relationships with telcos. We try to work with them as much as possible within our current authorities. I really can't comment on whether the government should regulate this sector further. We focus on enforcing the Criminal Code provisions.

I would say it's a combination of both, or it's multi-faceted. In some cases, the RCMP has participated in large multinational operations in which we have participated globally in helping to take down infrastructure—computer hardware, computer servers and other things that cybercriminals or fraudsters need. There have also been pieces here in Canada.

Project by project it depends on the level that is taken. Then there's action also at the municipal and provincial levels as well. There are quite a few success stories in that area, where they've taken action at those levels.

The one low-hanging fruit I would ask for, particularly in October—cybersecurity awareness month—is that all Canadians really try to be more aware of what's happening out there, and that everybody who has an ability to get the message out, including the attentive folks in this room, be a proponent of prevention efforts. That's a core part of policing. If we can prevent a lot of this stuff up front, the level of victimization will be reduced. I'd say that's where everybody can play a role in really reducing the level of victimization out there.

I'll let Sergeant Larocque tell you about the vulnerability of seniors in Canada.

At the Canadian Anti-Fraud Centre, there is also a program that aims to help Canadian citizens.

Thank you, Mr. Lynam.

There is no doubt that seniors are a population that fraudsters always seem to target. They are often seen as easy prey.

If I look at our statistical data, the losses associated with seniors—in our case, it's those aged 60 and over—represent about 30% of the losses that are reported to us on an annual basis. That's quite significant.

At the Canadian Anti-Fraud Centre, we have a program in place that provides support for seniors. When detected by our analysts upon receipt of complaints, more vulnerable or at‑risk individuals are redirected to the CAFC's Senior Support Unit.

This is a fairly unique and fairly special program in that we have volunteer seniors who come in to help us do this part of the work. These people are often retired and come from industry, either from telecommunications, banking or other sectors. Retired teachers also support us. These people follow up calls with the elderly. In addition, they also help us make presentations to target groups, often to seniors' groups.

Our program is primarily focused in Ontario. We are currently aiming to expand this program from east to west to ensure a greater presence in Canada. Ontario is the province with the largest victim pool as it is the most populous. In that regard, our efforts are well directed there.

We are making other efforts to try to minimize the impact of fraud, whether through our social media awareness campaigns or the many media responses we receive.

For example, in the last year, just at the anti-fraud centre, we have received almost 400 media requests. The media community is very helpful in getting our message out and trying to reach as many vulnerable people as possible.

The most important thing, and often the most difficult, is to encourage victims to recognize that they are victims of fraud and to report their case to the authorities. Reporting fraud remains a key element. Our goal is to understand the schemes that target Canadians so that we can adjust our messages accordingly.

In fact, most fraudulent calls are done in English.

In a mass approach, fraudsters target as many people as possible.

That said, fraud also takes place in French, by telephone. I don't have the information on the extent of fraud and the amount of fraud reports where the initial interaction is in French. However, there are many fraudulent schemes that use the French language. This certainly demonstrates the adaptive model of fraudsters. They will adjust to their “clientele”, if I can put it that way, or their target audience, in order to maximize their profits.

I don't have any specific information on that. There is a scheme that we see that is still quite prevalent these days: it's called the “grandparent scam.”

Fraudsters pose as a close family member who is in trouble. They have either been arrested, had an accident or need emergency funds. You'll find that these different schemes always involve the same kind of dynamics. There is often an emergency situation. They want people to act quickly.

In the grandparent scam, this is often the case. The fraudster poses as a relative who needs help—it might be a grandchild—and is caught elsewhere, in another province or community. This amplifies the urgency factor and attempts to get the victim to cave in to the pressure and send funds to the fraudster.

In terms of resources, on our side, there has certainly been investment in the fight against cybercrime. Our director general can tell you more about the progress on the National Cybercrime Coordination Unit.

Chris, would you like to speak about that aspect?

Yes.

We've made some investments in the last few years to stand up the national cybercrime coordination unit to work alongside the CAFC. It's important because, as I mentioned, there is this cyber-enabled aspect, and it could actually be a combination of phone and online. A recent scam or attack that's often happening is you will click on something or you get attracted, and you give your phone number and other details. Then they call you back and are further able to entrap you in perhaps an investment scam, or they are able, even in real time, to convince you to give access to your system at a company. Then they have a foot in door.

As a result, there have been quite a few investments to stand up the NC3 in the RCMP and stand up additional cybercrime investigative teams to address this with a more holistic approach.

Thank you.

I don't have any specific numbers on SIM swapping. One thing that I've noticed at my centre is that the reporting is low on those instances, but it could also be directly related to identity fraud. If I link that to identity fraud, then obviously I have a significant increase over the past two or three years in terms of identity fraud reported.

On our end, we are under the impression that SIM swapping has decreased with some of the measures that have been put in place by the industry to prevent it. Right now, it's much harder to take the SIM card from your phone and swap it to a different phone without any additional layers of verification to be completed.

I'm just going to add one, and it applies to SIM swapping scams and others.

Folks have probably seen in a lot of their applications the broader application of multifactor authentication. When you go to log in to a bank or something, it's not just your password that gets you in there; you have to do something else, whether it's a text message with a code or what have you, and the application of that is very impactful. It is a great measure to reduce a fraudster's or a cybercriminal's ability to either get into your system or scam you.

As we're seeing that being rolled out further across all types of industry, it is a having a positive effect on reducing things.

It's because we don't track a specific category on SIM swapping. Typically when we get a report of that, it would be subcategorized under identity fraud or identity theft, because we track both.

Over the past two years, as I mentioned, we've seen a sharp increase in those areas, but the main reason that we saw that increase is that there have been many Canadians whose identities have been used to fraudulently obtain financial assistance. With that, we saw the rise in reportings of identity fraud.

As I mentioned with the SIM swapping itself, it's not something for which I have precise figures, so it's difficult for me to give you an exact number when I don't have that type of data.

Do you mean specific to SIM swapping investigations or...?

We'll go back and look.

I'll add that, as folks know, the RCMP is not the police of jurisdiction in all parts of Canada, so it might not give the full picture of what's happening at municipal or provincial levels where the RCMP isn't the police of jurisdiction. We'll see what we can find.

Yes, for Cybersecurity Awareness Month, there's actually a government-wide effort. In many respects, the cyber piece is led by the Canadian Centre for Cyber Security, another initiative that was part of the new national cybersecurity strategy that was released in 2018.

Part of that, as I mentioned, is that this month it's about not getting phished. It's all about phishing. We both have activities that we support. We help out the cyber centre with that under their “Get Cyber Safe” campaign.

As I mentioned in my remarks, we have Fraud Prevention Month in March, which is a big event. Last year, I think we had over 300,000 visits to the CAC website during that month, and we think that through social media we reached about 700,000 people. It does give you a sense that if you craft the—

Sure.

It is a good point. The majority of those are in the two official languages of Canada, but we recognize that there is a need to figure out how to do more outreach to new Canadians or folks who don't speak English or French. At different levels or, in some cases, the non-profit or NGO sector, there's quite a bit of work in this space, but there's definitely more to be done.

I'll start, and then I'll turn to Sergeant Larocque to speak a little more about the senior support program.

I agree. Part of where I think we are now in terms of a program for prevention and awareness is really trying to tailor the approach to different audiences to figure out what resonates with them and what they need in order to stay safe online or not become the victim of a telephone scam.

You're right that seniors may feel more comfortable getting pamphlets or booklets. We've done some work in the past in producing booklets and using other formats, such as in-person meetings or in-person gatherings to promote that. COVID threw a wrench into a lot of that work for a couple of years, but we're now back into that space.

I'll let Sergeant Larocque talk a bit more about the senior support program and outreach activities there.

In terms of outreach, we have proactive presentations that are done in person, to the extent that they can be done. Of course, as Mr. Lynam explained, COVID slowed down our efforts, but we still found ways to be able to reach out. We had virtual presentations when we could not be there in person. Our senior volunteers have now started to do in-person engagement.

Just last week or the week before, one of my communications officers gave a presentation to newcomers. It was great to be able to familiarize them with all of the fraudulent threats that can be out there and to help them navigate through them.

I recognize that prevention will continue to be key. We'll never do enough prevention. There's always more that we can do, and it's always going to remain a challenge to be able to reach as many people as possible.

One thing that we've reproduced at the centre is using the hashtag #Tell2. Basically, if I tell two people about a fraud story or a fraud threat and then they tell it to two others, it will amplify the messaging.

You mentioned senior victims of fraud, who can be more vulnerable and difficult to reach. That's why we ask their families to be able to help us reach out and have those conversations with them.

I'm not aware of a solution like that. I think we need more ideas about how we make it easier for people to report it when they're a victim. It is part of the mandate of the NC3 to work with the CAFC to do that.

For example, we are building and rolling out a new online system called the national cybercrime and fraud reporting system. We started it and went right back to first principles. We went and talked to senior citizens to say, “Hey, if you were to report online, what language would resonate with you? How could we make it easier?” We've redesigned an approach that allows that. We are rolling it out. It's currently in our beta approach. We get about 25 victims a day and we iterate it constantly to make it more user-friendly.

That's just one example. We have to both make it easier and explore different ways to help Canadians report. That information feeds into the ecosystem that can then help investigations or further prevention efforts.

Those are three good recommendations.

In terms of the first one, a lot of work has been done to get more data and information out there about fraud. Very shortly, we're going to be releasing a report on the annual activities of the CAFC, which will have a lot of additional data about fraud and what have you. That should be coming out in the next little while.

We're continually looking at information-sharing arrangements with other agencies and what have you. We talked earlier about working with the CRTC on that. I'd say there has been some progress in how we work with them, but there's more to be done.

I'll turn it over to Sergeant Larocque to talk about our open data approach at the CAFC.

Right now there have been recent developments on that front. We want to release more data and make it more accessible to the public, so we're currently working with one of our units at the RCMP to publish that type of data using the open government data concept. For example, some of the reports that we publish are for prevention, like the bulletin reports and things like that. They will be the types of reports that we will look at to be uploaded to that portal, as well as fraud-related data that's coming.

Even for the academic sector, for example, if they want to do research, the data will be a lot more accessible, because some trend data will become available, hopefully, in the near future.

Of course, data will be anonymized to protect victim and suspect information, but the data will still be sufficient to enable some trends to be seen. As Mr. Lynam mentioned, the annual report will also provide some good contextual data as well.

I think there would be great support for bringing the stakeholders together in different forms—whether it's a summit or some other type of activity—to talk about the impact and figure out solutions.

For example, there is a lot of activity already, with the government recently putting out a call for consultations for the renewal of the national cyber security strategy. That was an avenue both to solicit online input and meet with different stakeholders.

We talk about addressing cybercrime and fraud as being a team sport. It involves law enforcement, other government agencies and the private, non-public sector. I frequently go to conferences or events where that is the theme, and people are in those rooms committed to figuring out solutions to reduce victimization.

I think events or activities whereby we can bring those stakeholders together to say, “This is what I'm seeing and here are some solutions I think I can put on the table” would be beneficial.

It is.

To clarify that, to some extent it's being done in regions. It's not only us producing the fraud awareness piece. For example, we've worked with my colleagues in B.C. They have put posters and pamphlets into multiple languages to alert people of the danger of using a cryptocurrency bank machine, so information is being translated into multiple languages in some regions. It's on a very regional basis, but of course there are always areas where we could improve on that front.

If I could just quickly add—

Yes, part of it is the translation, but we also have to take a holistic view that culturally it might not be the translation. In the approach you take in trying to get the information out there and engaging new Canadians or indigenous communities and people like that, you've got to find the right approach in how you get that prevention message out, considering what resonates with them and how they want to hear and receive that information.

Recovering money from fraud will certainly always remain a challenge, as the fraudsters' model is very adaptive. Once a barrier or safeguard is established, the fraudster will certainly work hard to circumvent those measures. We see it every day: new frauds surface and old frauds are brought back to life. Prevention remains the key to curbing fraud. As you can see, the amounts recovered or returned to victims are far less than the losses reported.

Indeed, when money is transferred to a fraudster, the fraudster will move it around quite quickly. In the majority of situations, when a bank transfer is made, the funds disappear to other accounts within the same day. So the trail fades fairly quickly.

This is why people need to understand that when faced with a fraudulent request, they need to take a step back, to avoid transferring money to fraudsters. Time is on their side. Unfortunately, when the transfer is made, the hill to climb to recover the funds can be very steep.

Actually, that is a very good question. I'm going to let our director answer it, so he can also tell you about one of our sub-units related to cybercrime.

I would say we don't use hackers or cybercriminals, but interestingly, there are good lessons to be learned in terms of their activities and how they conduct their criminal activities or what have you.

By learning that, you can then make your systems harder or figure out how someone got into a system and then adopt the appropriate prevention approaches. There's actually an industry out there involving penetration testing, a service that companies offer. They'll try to get into a network, and in those cases, those penetration testers usually have to fall under a pretty tight regime.

We have to be a little careful, but we can learn lessons from how hackers operate. We learn them and try to incorporate them into how we protect and follow up.

The answer is that on average, losses for victims have increased. There are trends with fraudulent investments, mostly related to crypto sectors like bitcoins or any use of cryptocurrencies, whereby scammers—

Yes. It's because the losses are higher, on average, for victims. We have fewer victims reporting much greater losses. That can explain why—

No, sorry. I don't have a specific correlation to that.

I'm sorry?

As far as I'm concerned, STIR/SHAKEN is not fully implemented, so it's hard for me to tell if it's effectively working.

One thing we noticed with fraud that is initiated by telephone, though, is that scammers are using a lot of spoofing technologies to make you believe that the number that's calling you is actually local when it's not.

What it tells us at the Anti-Fraud Centre is that it's another example of scammers being very adaptive at finding ways to be able to still connect with their victims.

Good afternoon. My name is Randall Baran-Chong, co-founder of Canadian SIM-swap victims united.

I'd like to thank the committee for inviting me to reappear because, the last time I was here, the lockdown was announced that afternoon, so I hope not to be the harbinger of another pandemic.

To refresh your memories, number portability, which was introduced in 2007, was designed to enable customers to switch carriers easily while retaining their phone number, but it's something that has been exploited by fraudsters to transfer ownership of a phone number to themselves, often by manipulating the customer service representative of a telco.

Once in possession of your phone number, they take advantage of SMS and text-based authentication methods and click “forgot my password” to take access and control of the victim's accounts. If you think about it, that can be everything from your email to banking to cloud storage to crypto-wallets. Within our organization of over 20 victim advocates, we have people who have lost possession of all their data, had hundreds of thousands of dollars stolen, and, in my case, had a livelihood threatened with extortion.

What has happened since that last fortuitous meeting? As part of its November 2020 report, this committee—with a few different faces now—had two key recommendations, which I am paraphrasing. One was that a hearing be held and, in the absence of that, legislation.

The minister responded by saying that we entrust the CRTC and the wireless network portability council, which is composed of the telcos themselves, to handle it and do its job of self-enforcement, and that legislation is unnecessary, as unauthorized porting is covered as a crime.

I can speak for almost all victims in our group that our issue is not with criminal enforcement of this issue or with the perpetrators themselves; it's a real matter of distrust of the telcos and their regulator. To do something probably never done in this chamber before, I'm going to quote rapper Ice-T. Our attitude is more, “Don't hate the player, hate the game”.

What I mean by that is we know that criminals will always look for vulnerabilities to exploit, but it's the system, the telcos, that we entrust to protect our personal information that do the math of what it costs to prevent these frauds versus the near-zero cost of punishment they bear in the event of failure, and the regulator that exists to protect the public has failed us. In fact, both of them have been thus far dismissive, unsympathetic and ignorant of victims.

Since our last meeting, the following has been revealed: It's more prevalent than most people thought.

Ms. Gray alluded to this. An access to information request filed by a Globe Telecom reporter—who ended up being a victim of SIM-swap fraud, ironically—revealed 24,627 cases, to be exact, of unauthorized ports over the 10-month period of August 2019 to May 2020. That represented 1% of all ports.

Compare that to credit card fraud, where only 0.17% of transactions are fraudulent. At a peak, 2.5% of all ports were fraudulent. Its magnitude can be massive. Two Canadians, one in Montreal and one in Hamilton, have been charged with stealing between $40 million and $50 million in cryptocurrency and other credit card fraud in Canada and the United States.

Meanwhile, other victims in our groups are attempting to recoup millions in stolen funds due to telco customer service representatives surrendering personal information to fraudsters, enabling execution of the unauthorized port.

Finally, telcos have self-enforced in the meantime, and unsuccessfully in the beginning. After a number of failed attempts to address the problem, they introduced text notifications around the summer of 2020. This continues to fail. We know this because of victims who emerged afterward. There is a group of 14 that we are aware of who were attempting to recoup several million dollars back in 2021. Telcos have failed to prevent the exploitation of their representatives and they apply the practice inconsistently.

The fact remains this: Our digital identities and our phone numbers are only growing in criticality. Your SIM is the new SIN number—that is, until SMS-based two-factor authentication is replaced wholesale.

The second point is that the safety of our digital identity is as strong as the weakest link and, in this case, telco customer service representatives, CSRs, are the weakest link in the line of defence of our phone numbers.

Investigations have revealed phone conversations and chat logs of CSRs being socially engineered into providing information to fraudsters. This speaks to a lack of training, misaligned incentives to prioritize customer throughput over customer protection and a lack of punitive measures for the telcos themselves in the event of failure.

Finally, it remains that progress and practices around unauthorized porting remain opaque. The fact that we were unable to produce numbers and that they can only be produced through access to information requests speaks to that. There is no proactive disclosure of data on incidences or effectiveness of practices.

We need to have a hearing to get a more thorough understanding of the situation and response situation and allow for victims to be heard. Second, we need to codify rules that create consistency and durability in practices, including transparency in metrics. Third, we need to introduce enforcement for non-compliance, as I suggested back in 2020 when Australia introduced fines of up to 250,000 Australian dollars for non-compliance.

These three recommendations are all supported by over 12,500 Canadians who signed an OpenMedia petition to that effect.

Let's not wait another pandemic for things to happen on this. I welcome your questions, and a way to a cure.

Thank you.

Good afternoon, everyone.

I'd like to thank the committee members for offering me this opportunity to speak today.

My name is Kevin Cosgrove. I'm a network technician, educator and digital safety advocate in Windsor-Essex County in Ontario. I've been working in the IT field for almost three decades, but I've shifted to working more with actual people, through contacts, throughout our community. I've been working with law enforcement on digital fraud and educating the public in that area.

I teach classes each semester with seniors specifically. As we know, seniors are a major target for online, digital and phone fraud. In the stats I receive way down at my end of things, almost 25% of the victims of fraud are seniors. Each year we spend time with local police and educate seniors on how to avoid fraud.

I know this committee has certainly focused on things at the higher levels—dealing with the telcos and other things at international levels—but I'm the guy down in the trenches having the little old lady coming to me, telling me she got scammed, needing that type of help, and asking who she should call.

My biggest frustration in working at a local level and being an educator specifically focused on these matters is that the information is already available and out there. The RCMP, especially, has a phenomenal amount of information. When I speak to people in my classes, however, no one's heard of it. It's not that the RCMP is not doing a good job or is not doing any outreach, but when I speak to people, they're unaware.

As the committee is aware, the RCMP has a fabulous publication known as The Little Black Book of Scams. It's a wonderful publication, and they've had it for quite a few years. After doing this for almost 20 years, I only know one person who saw a physical copy of it. That's definitely an issue with some of the programs we have; some of the education and outreach we're getting from the RCMP isn't necessarily getting down to every level.

Of course, there's also sometimes a disconnect when the RCMP is not the leading authority in a jurisdiction and relies more on local police to deal with that. They're doing their own jobs. Basically, each little area we're running into is trying to reinvent the wheel instead of having a unified response to some of this stuff.

A big focus I have, when I'm teaching seniors and putting stuff out in the community, is making it accessible. When I got into doing this almost 20 years ago, I noticed that the focus on details, definitions and such things is unwieldy for the average person picking up a pamphlet and trying to understand it. I'm not disparaging some of the information out there, but an 84-year-old woman does not care what the differences are among phishing, smishing, spear phishing or whale phishing. They don't care about those types of details. They need information to keep themselves safe without reading a PSA, a public service announcement pamphlet that goes in the wrong direction for educating the public.

I'm definitely ready for any questions you may have. I think I had a few questions for the RCMP when I was sitting back there. However, that's not my place.

Thank you very much for the opportunity.

There was some mention earlier about STIR/SHAKEN and what kind of progress has been made there. Even though I'm a civilian, I speak with criminal intelligence analysts at the CAFC and the financial crimes unit in Windsor. According to them, the types of calls that are specifically targeted by STIR/SHAKEN have diminished. People are no longer reporting receiving calls that say “Canada Revenue” on their phone. They may see that exact same phone call show up as a long-distance number, but in terms of a spoof call being displayed as law enforcement or Canada Revenue, that has definitely decreased, according to the information I've been given.

Greetings. Thank you very much, Mr. Chair and honourable members of the committee.

My name is John Mecher—that rhymes with teacher—and I was with the RCMP for over 32 years. During that time, I spent approximately 10 years investigating fraud, mostly in the greater Toronto area. I've investigated various frauds, including the infamous CRA scam. After I retired in 2019, I continued my work in a volunteer capacity to create fraud awareness.

Although I'm open to discussing many aspects of fraud, including organizational and governmental missed opportunities, I've chosen to focus on a foundational component of fraud prevention. Specifically, I will speak to the difference between “fraud awareness” and what I call “meaningful fraud awareness”.

First, it's always good to reiterate the losses, which continue to escalate year after year and are currently at an all-time high. As per the Canadian Anti-Fraud Centre, last year those losses rang in at over $383 million. Worse yet, that amount, as per the Canadian Anti-Fraud Centre, only represents 5% of the actual losses.

What we're looking at in Canada is that fraud has become a multi-billion-dollar enterprise for fraudsters all around the world. Those same fraudsters tend to prey on people I describe as traditional fraud victims, such as seniors, newcomers, refugees and the intellectually challenged. Although I can offer several egregious examples of fraudsters targeting members of those communities, I must remind everyone that just about anyone, given the right set of circumstances, can fall for a scam.

It's also necessary to remember that the victim impact often goes beyond simply a financial hit. In some cases, the victim's life savings are wiped out, and that's often never recovered. Sadly, victims also face layers of emotional impacts, ranging from embarrassment to depression, and in extreme cases, unfortunately, many victims end up taking their own lives.

Specific to phone fraud, even though these scams have been around for decades, we have yet to implement measures that have been able to reduce their ease of access to our phone systems. Statistics from the Canadian Anti-Fraud Centre reinforce that point, as the phone has been and continues to be the preferred method of solicitation for fraud.

Furthermore, with a view to the CRA scam that arrived in Canada in 2014, along with subsequent variants, I remain unconvinced that there is any sense of urgency in creating a barrier to the exploitation of our phone systems. To that end, we also need to be aware that we can't rely on enforcement—albeit necessary—or the courts as a meaningful deterrent for fraudsters. Unfortunately, we're not left with many options to protect our fraud-vulnerable communities.

All that said, fraud awareness is the solution, and that needs to be employed. However, it needs to be employed in a meaningful, relentless and focused manner, but that is something that does not always happen. If the status quo approach to fraud awareness worked, we would not be seeing losses growing on a yearly basis. At the same time, although many people in Canada do great work on this front, we need to do much more, and we need to do it now.

Although fraud awareness can involve websites and social media, if potential victims are unaware of those platforms, it's pointless to believe that a series of tweets or online posts can create meaningful fraud awareness. From my perspective, the golden rule of meaningful fraud awareness must be driven by our ability to get the message to those who need to hear it the most. In failing to do that, we will continue to see further victimization.

Lastly, I'm willing to work with any parliamentarian in a non-partisan manner, just as I did with Mr. Masse on the Western Union file, which was a once-in-a-lifetime opportunity for victims of fraud to recoup losses.

Thank you.

On my level, and just from the education side of things, I do look into the CAFC and the RCMP and the resources that they have, and the resources are excellent. I sometimes rewrite things for my own classes or I just use their own materials. There's no need to reinvent the wheel with some of this stuff. In just talking to people, many of them don't know it's there.

I can't speak at all to why there's not enough information given out, or a split in jurisdictions where local law enforcement or the RCMP are not taking a local interest. I'm not sure of the exact reason. The material is there. On your side, and the committee's side, of course, you have an interest in the actual statistics and the numbers. The average person is not interested in accessing that information.

In terms of fraud prevention, awareness, and everything else, I teach a special program with our local university. It's for people 55 and older. I've been doing it every semester for eight years now, and there's always a class that signs up. I also do talks with our regular police. The interest is definitely there. There's no question about that. I have people coming to me, and not just me, trying to chase people down and put pamphlets into their hands, but the information is already available. People can look this stuff up online. They can get pamphlets. They can visit their local police. There's an unlimited number of ways people can be educated to prevent this stuff, but somehow there's a disconnect. That's why I've been focusing my own work, even working with MP Brian Masse, on trying to educate the public specifically.

It's been going well. I'm hoping that after a few years there will be a big hole in a map where reporting and fraud happens. That might be a little optimistic, but getting the information, as far as I'm concerned, does not require SHAKEN/STIRRED. It does not require enforcement. It doesn't require U.S. law enforcement co-operation. If every person whom I've reached so far knows what a scam is, whether it's through SMS, text, online, or a phone call, they can identify the fraud in the first place. None of the other approaches is effective.

That actually speaks largely to what I was talking about, and I couldn't agree with him more. Having the information isn't the issue; getting that information to those who need it the most is the issue. That speaks to having a proper communications environment.

I want to reiterate that there are many people doing good work. A case in point is what Mr. Cosgrove is doing. From a national perspective, it's my humble position the RCMP, and by extension the federal government, doesn't see fraud and fraud awareness as a priority.

To be fair, during my time within fraud, I've never seen any federal government actually pursuing fraud or fraud awareness as a priority, so this is not something unique to just now. The only thing that's more pressing now is we're seeing losses completely off the charts compared to what we were seeing 10 years ago.

I believe my third recommendation was around what the Australian communications commission did. What it did was introduce a process, which was very similar to what we proposed back in 2020, that essentially there had to be an authorization by the customer to execute the port. If the company did not comply with that, for every incidence of the company not doing that, there would be a fine of up to $250,000. One of the Australian carriers has paid over $200,000 for 15 instances of non-compliance. They didn't go for the full max for each instance, but certainly it happens, and we've seen the reductions because of that policy, so there is that deterrent element.

I guess it's because it's equally personal, since I'm a victim myself. Since then, I have been able to hear the recording from the police of the customer service representative who impersonated a Rogers employee, called the Rogers store, and essentially got my information. It was surrendered very easily. The scammer essentially impersonated this employee and was able to provide a customer number and all the other stuff. I think it speaks to a broader problem within the telcos and the ability to socially engineer and exploit these folks.

I think part of the problem is that if you think of an incentive, I can tell you an outcome. The problem is that these customer service reps—and I have sympathy for them—are not very highly paid and they are not very highly trained. A lot of their metrics are based upon how many customers they can get through during their shifts. What's the satisfaction of that? Their incentives are more to.... If someone wants to try to port their number, let them do it. They don't want to put up resistance. They don't want to challenge whether this is the right person or things like that. If the incentives continue to essentially enable them to focus more on throughput, business outcomes and things like that, versus protecting customers' privacy and information, then I think this problem will persist.

The second thing in terms of awareness is that there is, of course, the broader awareness of good hygiene. Let's move away from SMS-based 2FA. This is something that the Federal Communications Commission in the United States has been promoting, as they consider SMS-based 2FA and SIM swapping a national security threat, but there's also the corporate awareness. For example, when Rogers introduced its text notification form in its first failed attempt at 2FA, customers thought the text notifications were frauds. They thought they were spam as well, but it's because of Rogers' practices being so obscure and their not sharing these practices that customers weren't aware that this was trying to protect them.

There are many different opportunities, and a lot of them emanate from the telcos themselves.

Yes. I'm more critical of SMS-based two-factor authentication because the vulnerability is that once the number is stolen from you, the SMS goes to the fraudster. However, there are other things out there like app-based two-factor authentication. You may have heard of Google Authenticator, which is very commonly used.

The problem is that there was a Princeton study of 140 of the most popular websites. With regard to many of these websites, the first factor of authentication they promote is an SMS-based two-factor authentication. We need to move away from that, especially for these critical industries.

I can tell you that some of these banks within Canada still use SMS-based 2FA, and that's their only form of two-factor authentication. We need to really look at moving away from this if that vulnerability and that distrust of telcos persists.

Oh, I'm sure they collect it, but they just don't want to share it. The only way this person—a Globe and Mail telco reporter, ironically—was able to access it was to file an access to information request to get that information.

PIAC, the Public Interest Advocacy Centre, has requested it multiple times, and the CRTC has written letters saying that no, this is not in the public interest or that this would compromise, potentially, the security of individuals and security in the telcos.

It's an absurd argument, in my opinion, for defending the telcos.

Thank you.

Yes, I was. I have communicated with them over the years, even just in doing my local programs and education. They have reached out to me.

As far as further support or being able to take basic information that we've had available and working more hand in hand goes, no, it's not really something that I've had experience of, whether that's because we're down in Windsor and just off in the corner, or because we have our local police to deal with it. That part I can't speak to.

There are times in doing the things that I do—working with our local police or doing education and working with our university—when I definitely do feel like I'm operating a grassroots program that shouldn't be grassroots after 10 years. More support, regardless of the direction, would definitely be a benefit.

I have looked at their own materials. I certainly have nothing to disparage about that. It is good and sufficient material. It's very elaborate, but whether or not it's getting to everybody is the question we're probably looking to answer here today.

It's to make the information more accessible. As I said, having higher-level programs or information is not the information that people need. It's very detailed. It's sending potential fraud victims a dictionary and just hoping that they read the whole thing instead of boiling it down to just what the fraud actually is all about and how to avoid it.

For most fraud, it doesn't really matter if it's through a text, a phone call or an email: These are the same types of scams that they're using. You can get an email about cryptocurrency or have a phone call about investing in cryptocurrency. The method doesn't matter.

From what I've seen, there is a lot of focus on information that spends too much time on the methods, making some of the information seem like it's over people's heads. I focus on dialing things down and keeping things straightforward. There's a publication that our local businesses, the Windsor police and a few other private donors actually funded for publication. That was put out through the community, and the reception from it was phenomenal. It's not taking the high-level information and seeing how much we can give to the people or how smart I can make myself seem; it's about how we can take that information and present it to people so that they're going to find it useful.

Thank you.

When our group saw the recommendations from this report, we were actually quite appreciative, because I think they essentially reflected what we had asked for in terms of supporting a hearing. The response, I believe, from the ministry about the hearing was that they didn't feel it was appropriate to have a hearing because they didn't want to solicit views from the public on how to protect themselves—which I thought was somewhat silly, because where the telcos have gotten to now is based on a recommendation we made back in 2020. However, because they have dragged their heels or have not listened to us, more victims have accumulated in that time.

The second thing is that they don't understand that a hearing is not just to, let's say, solicit recommendations or things like that. Many of these victims do not feel heard. You may recall that you asked me back in 2020 how Rogers had responded to my fraud case. They offered me $100. Their customer service representative gave away my information, which took away all of my data. The scammer threatened to destroy my life, to destroy my career, unless I paid $25,000. That's what they asked from me, and Rogers wanted to give me $100 for that. That was the apology.

Other folks who have lost hundreds of thousands of dollars are taking them to court instead. They're not co-operating. It takes these criminal investigations to reveal the kind of decay that's within the practices of the telco. That's why we continue to believe there needs to be a hearing to give that transparency in terms of the numbers. What are the practices? What are the ways and different patterns in how victimization occurs?

The third thing is that we want to codify it. The FCC also believes there is no consistency and durability in these practices. They can choose to not do this or just to say that it was a slip-up. The fourth thing is that we need that enforcement there, which we believe the Australian example shows is critical to ensuring there is compliance and things like that.

Those are the three or four things we stick to, and I believe the committee was a part of this the last time.

Yes, we're highly supportive of the idea. It doesn't matter really what form it takes. Again, it's all about being able to be heard. We've learned a lot from the different victim stories, because our group essentially is very grassroots. I identify them by scanning through articles and reaching out to them, or they come to us and they tell us the circumstances of these issues.

A public-based approach can help people understand how the fraud itself happens, or those points of confusion that enable the fraud—for example, when they get a text message and they don't know whether it is a fraud or not.

The second thing is that if you think about portability, it takes two to tango. There are two telcos involved in it, because it's typically going from one carrier to the winning carrier, so there needs to be a kind of consistent practice and standard across the industry itself.

Third, I think there needs to be a much deeper layer at the business process level when we're talking about these vulnerabilities within the organizations. This isn't just in Canada. This is in the United States and in other countries where we've seen SIM swaps occur, because insiders or the ability to socially engineer people within the organization essentially enables an open season on people's information. I agree with you on that suggestion.

In my advocacy, where I've hit a dead end is that basically I'm stuck at the local level. We're dealing with a border city in a town with a university and a college. We have a very high multicultural population, and I can't even get funding for standard translations. Living in Windsor and with French being our second official language, I don't even have a French copy at the moment, and this is something that I've been involved with for years. It's not something I've just started. This is a problem that I've been trying to crack, and thankfully, with MP Brian Masse inviting me for this committee, my appearance here might even provide some opportunities to get this out.

Anything that I've done over the years is all completely non-profit. It's all volunteer time. I'm not paid for any appearances, I'm not paid for any of the booklets or publications that are put out. This is solely just non-profit, and even at that level, it's definitely difficult getting any level of support.

Okay.

Some of the frustrations I had when I was in the RCMP have actually carried over, and I'm not surprised. One of the things is a passion project I have to try to create awareness. I've never had any high sense that I myself would be able to have a big impact. It's a term that Kevin used several times, “grassroots”, but I kept pushing, pushing, pushing, and most recently came our experience with the Western Union matter. The Federal Trade Commission of the United States was the genesis behind that. They basically forced Western Union to hand over in excess of half a billion dollars through a deferred prosecution process, and those funds went to victims of fraud related to Western Union around the world, which is an amazing gift for victims of fraud.

However, the big problem was with getting that information to victims in Canada. The U.S. Federal Trade Commission kept repeating that message, but it did not resonate in Canada.

In March, I start repeating their message the best I could on my limited social media platform, and then, having no luck, I finally got frustrated and actually wrote the commissioner of the RCMP, both on June 1 and June 7, with a view that at that point the end date for the Western Union offer was at the end of June. It was going to die at the end of June. Unfortunately, my plea went nowhere.

I explained who I was, the experience I had with victims, my engagement with fraud and so on, but there was no response until close, I believe, to the end of June, at which point it was almost moot. At that point they basically posted it on the Canadian Anti-Fraud Centre website. The perverse thing at that time was that it was posted, I think, on June 26, and at that point it was believed that the offer was going to expire for intake at the end of June. It was pointless doing that, because any victim would need at least a week or more to get all their documentation together.

However, two days later the Federal Trade Commission announced that there was going to be an extension to the end of August. The only meaningful access I've had to advance this cause came when I engaged Mr. Masse, and then he pushed it forward. He has a much larger platform than I'll ever have, so I'm very appreciative of that.

What it speaks to, and I try to be as respectful as I can when I say this, is that at the highest level, the RCMP does not appreciate fraud or appreciate the impact fraud has on its victims. That is a current frustration I have now, and it was also a frustration I had when I was actually a member of the RCMP investigating fraud.

No, I have not.

Well, I've consulted several lawyers. It's interesting, because unlike others who've had significant financial losses.... In the case of credit card fraud, let's say, the credit card company or the banks end up kind of compensating folks for that. Other folks who have crypto-thefts are still trying to recover their losses, and many of the people within our groups are trying to recoup between hundreds of thousands to millions of dollars. However, my theft was very insignificant financially. They had essentially taken possession of all of my information and tried to extort me with it. Extortion and the kind of psychological distress of thinking your life is going to be over is something that's very hard to quantify. Therefore, it was just not worth pursuing.

This action was my form of getting my compensation.

That's in the case of a stolen phone. There's a bit of balance here, right? The CRTC wants to allow you to easily port your number. There is actually a rule that they have to execute it within two and a half hours. My bigger recommendation, which doesn't have to apply to just a stolen phone, is that when you have text notification that your number has been requested to be ported, you have to proactively consent by texting back “yes”—that yes, you are trying to execute that port.

Take what happened to me, for example. If I'd gotten that text message at 11 o'clock on a Tuesday, would I have executed a port? Absolutely not. That would never have gone through, and I wouldn't be in front of you today, but that process did not exist at the time.

Afterwards, the telcos introduced a text and didn't require the proactive notification. This was the problem, because people thought it was fraudulent text, ignored it, and executed the port anyway. It wasn't until much later that they did.... According to the Rogers website right now, they say that they have introduced this practice that I introduced back in 2020 before this committee. They're saying that it applies now, but again, there are inconsistent practices and things like that.

This proactive notification should help prevent a significant number of these scams.

Absolutely. You kind of wonder whose corner they're in.

We've been consulting with PIAC quite a bit. We've been trying to get this data, for example. You'd think macro-level data is not too big of an ask or too much of a threat to security. We weren't even asking at the telco level what the data was in terms of the incidence of SIM swaps. The CRTC rejected that. The CRTC said that the hearing does not need to occur because the public has no real contribution to helping solve this problem.

Therefore, the question is this: Is the regulator trying to defend the telcos from being embarrassed or from further legal action? I know that a lot of the times in the early days, when people were trying to do lawsuits around this, they thought they were one-off incidences. When we heard it was 25,000 cases within that 10-month period, we were shocked. We thought it was in the few thousands or so. If you think about it, the prevalence and magnitude of this crime is massive. We think they're protecting them because this could be a big, big fraud and completely embarrassing.

I really can't speak to privacy matters. That's really not my niche.

I can say that previously, banks in particular have been periodically fully engaged on the fraud-fighting front. At the same time, some banks have gone in the opposite direction and, through willful blindness or what have you, have actually assisted fraudsters. That usually catches up with them.

Honestly, I don't know. I might give you a guess, but I don't want to hedge an answer on a guess.

I would add that there's a company called EnStream, which is a joint venture of the major telcos. One of the services they offer is identity verification to prevent things like SIM swap fraud. This is a product that they sell to the banks.

I've spoken to some folks on the cybersecurity teams in the banks, and they know SIM swap fraud well, because banks are the ones who ultimately pay for it. They're the ones who are compensating for the credit card losses, other thefts and things like that. Banks are being sold a product by the telcos whereby the telcos can help identify frauds. There's this kind of perverse organization that exists.

Some other countries have done some of the stuff that you're alluding to. For example, they will block bank transactions after a port. There will be a bit of a freezing window. They know that there's a high risk of things like that.

There are connections between bank, telcos, privacy and security in the enabling of these frauds.

I'm admittedly not familiar with Bill C-27.

I'm sorry. I didn't hear your question.

No, I haven't.

I had a technical issue.

Anything is worth a try. I don't think that particular approach is entirely unique. It might be beneficial. The nice thing about having it beyond law enforcement, I suspect, is that it would be a whole lot easier to be transparent.

Yes, absolutely. There is a tendency from the stuff that I see myself, because I'm speaking from my own experience, to over-complicate things, overpresent them and overformalize some of this information. If we're looking at seniors as being a major target of just about any type of fraud, making big formal documents and online bills and everything doesn't make them aware of this stuff.

We need to get down into the trenches and resolve this stuff more in person or with easier information.