When the Canadian Government set up the CERB program in the Spring of 2020, speed was its main focus. Canadians were losing their job to government-mandated lockdowns, and they needed to put food on the table. The Government opted for a very simple form that took seconds to fill out, hosted on the Canada Revenue Agency’s (CRA) website.
Throughout 2020 we reported on how this simple CERB process could be abused by malicious actors. At first, CERB fraud was not all that interesting for fraudsters. They needed to gain access to CRA accounts one by one, with a potential payout of only $2,000. As the months passed by, and CERB got extended, fraud value increased and became a significant issue; in the last days of the program, fraudsters could claim up to $14,000 per victim.
There is no denying the level of excitement that fraudsters expressed towards the CERB program. In the message below, a fraudster boasts on Telegram that even grandmothers (grannies) are taking advantage (hitting) of the CERB program. The fraudster also claims that fraud is so rampant that only those that made over $100,000 will probably be prosecuted. And even then…
This perception of impunity is echoed in many other messages on Telegram.
Some shared their disappointment in not profiting from CERB fraud. In the message below, the fraudster whines that he is one of the few that did not earn money (cash out) on this scheme.
Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.
While these messages clearly point towards endemic fraud levels in the CERB program, how much fraud has really taken place? The California case provides a first and worrying glimpse into fraudulent activity levels we could expect with CERB. AP News reports:
California Labor Secretary Julie Su told reporters in a conference call Monday that of the $114 billion the state has paid in unemployment claims, about 10% — or $11.4 billion — have been confirmed as fraudulent. Nearly $20 billion more — another 17% — is considered suspicious, and a large part of that could be found to be fraud, she said.
Overall, it appears that up to 27% of payments in California’s government aid program could be tied to fraud. If the same level of fraud is applied to Canada’s $82 billion CERB program, this could mean that between $8 billion and $22 billion were paid out in fraudulent claims.
A leverage effect
Fortunately for those in need, the CERB program was designed to provide funding to everyone who applied. Fraudulent claims did not take money away from anyone; they only added up to the costs of the program. In that sense, no Canadian was left behind.
However, putting millions of dollars – if not billions – of tax money in fraudsters’ pockets is worrying. Canadians work hard for their money, and have shown great solidarity to those in need. If this tax money is wasted on fraudulent claims, support for future programs could decrease and jeopardize the health and security of those who need help.
Fraudsters could use the CERB payments received to bolster their criminal infrastructure, tools and teams. With so much money being handed to them, fraudsters could afford to purchase more sophisticated malware, hire teams of hackers to target hardened organizations, gain access to proxies and other online resources. These could raise the threat profile of Canadian fraudsters and make them even more capable. This is perhaps the most significant impact of CERB fraud, and one we will need to include in our threat forecasts for the Canadian market.
Without a doubt, the Government had to act fast when it launched the CERB program. Efficiency almost always comes with a security cost, and the CERB program was no different. With the CRA sending out tax forms for CERB payments, in the coming weeks we may be able to evaluate how the situation in Canada compares to that of the U.S. and California.