Technology, Media and Telecommunications Bulletin
"This call is from CRA, Canada Revenue Agency. This is Officer John Parker and this message is intended for you and is extremely time sensitive and very urgent...
... Don't disregard this message and do return the call. If you don't return the call the only thing I can do is wish you very good luck. Thank you and have a great day."
It has all the hallmarks of a scam. The opening salvo of representing an important government agency, the stress of urgency and the ominous threat nicely accented by the friendly close. A quick scan of message boards and news article comments yields many examples of Canadians who knew better than to trust this mysterious CRA officer.
And yet, thousands of Canadians have been victimized by variations on this theme in the last few years alone.
Apparently Officer John Parker gets around.
What makes this fraud so pernicious is the increasing use of "Caller ID Spoofing," a process in which the scammer disguises a caller ID, often times mimicking the name of a real government body and an actual phone number for that entity.
Unassuming and well-meaning Canadians are much more likely to trust a caller and provide vital personal information when their caller ID reads Service Canada, a major police service or the name of a provincial court, along with an accurate phone number for that respective body. No wonder we've witnessed a glut of media reports highlighting the increasing number of spoofing scam victims in recent months.
Sometimes the scripts used by the callers and other elements of the story seem so far-fetched as to be comical, but this fraudulent activity is no laughing matter. One study shows that nearly 5,000 individuals have been defrauded of close to $17 million through this scam since 2014, and this may only be the tip of the iceberg. According to the Competition Bureau and the Canadian Anti-Fraud Centre (CAFC), only five per cent of mass marketing fraud is ever reported to authorities1 , meaning this activity's cost to society could be orders of magnitude greater than presently thought.
In Canada, the CRTC regulates unsolicited telecommunications through its Unsolicited Telecommunications Rules (UTRs), which it established under section 41 of the Telecommunications Act in 2007.2 But while the UTRs give the CRTC a method of penalizing nuisance telemarketers, they do little to cut down on blatantly illegitimate calls made by fraudsters.
In 2015, the CRTC sought comments on how it could empower Canadians to defend against caller-ID spoofing, a practice it called "increasingly complicated for agencies worldwide" and one that greatly "accentuate[s] the harm caused by unsolicited... calls."3
In late 2016 and as a result of the consultation, the CRTC directed TSPs (telephony service providers or carriers) providing retail voice services to inform them within 180 days of how they plan to offer subscribers a "base level of protection" through opt-in filtering services. It also tasked its Interconnection Steering Committee (CISC) to provide a report on how to best block "blatantly illegitimate calls at the network level." Its definition of "blatantly illegitimate calls" included calls that:
- match the telephone number of the person being called;
- are "spoofed" with a number that is local to the person being called, in the case of an incoming long-distance call; or
- do not conform to the North American Numbering Plan (NANP) (i.e. are non-dialable telephone numbers [e.g. 000-000-0000])4
The CISC produced a Consensus Report, calling for universal blocking of blatantly illegitimate calls at the network level.5 The CRTC agreed with the report's recommendations and, in a December 2018 regulatory policy, mandated universal network-level call blocking measures within 12 months (by Dec. 19, 2019).6 Pursuant to sections 24 and 24.1 of the Act, the CRTC made it a condition of offering voice services that carriers ensure that network-level call blocking is in place where the caller ID:
- exceeds 15 digits, or
- is malformed and does not conform to a dialable number for calls initiated under the NANP.
It also gave carriers the option to offer customers call-filtering services in line with industry best practices as an alternative means of satisfying this condition of service.7
The Partial Fix
Now that the Dec. 19, 2019 implementation deadline has come and gone, all TSPs now provide the CRTC-mandated services to prevent blatantly illegitimate calls. Of Canada's big three telecommunications providers, Rogers and Bell have chosen to implement network-level universal blocking while Telus opted for the call-filtering alternative.
Meanwhile, the CRTC also maintains a list of features each service provider offers for blocking or filtering unwanted calls.
Spotting Spoofing - The Next Protection for Consumers
Despite these efforts, recent months have been punctuated by a sharp rise in complaints and media reports of spoofed calls and swindled Canadians. In response. FCC Chairman Ajit Pai and CRTC Chair Ian Scott issued a joint statement8 in early December, announcing the first official cross-border call using a new, industry-developed technology standard called STIR/SHAKEN.
Awful acronyms aside, STIR (Secure Telephony Identity Revisited) and SHAKEN (Secure Handling of Asserted information using toKENs) offer an effective solution to cut down on fraud and malicious robocalls through an authentication and verification process by originating and terminating service providers. The end result of STIR/SHAKEN is that the final party receiving the call will be provided with a warning indicator when there is a risk that the number or name showing up on caller ID may be an illegitimate spoofing effort. Indeed, one of the strengths of this system is that it will not inhibit or prevent robocalls that do not alter the caller ID, such as those made by a charities and legitimate commercial enterprises.
So relief is on the way. A CRTC news release accompanying the Joint Statement identifies Sept. 30, 2020 as the date by which it expects service providers to implement this new framework.9
In the meantime, we can all take heart in knowing that the RCMP is just as annoyed by the CRA scam as everybody else.
2 Which it initially established in Telecom Decision CRTC 2007-48.
3 Compliance and Enforcement Notice of Consultation CRTC 2015-333 at para 8.
4 Compliance and Enforcement and Telecom Regulatory Policy CRTC 2016-442.
5 CRTC Interconnection Steering Committee "Consensus Report: Universal Blocking at the Network Level of Blatantly Illegitimate Calls," June 23, 2017.
6 Compliance and Enforcement and Telecom Regulatory Policy CRTC 2018-484.
7 Compliance and Enforcement and Telecom Regulatory Policy CRTC 2018-484, para 44.
8 Canadian Radio-television and Telecommunications Commission, "Joint Statement by Ian Scott, Chairperson and CEO of the CRTC, and Ajit Pai, Chairman of the FCC, on the First Official Cross-Border Call Using STIR/SHAKEN Caller ID Authentication Framework". December 9, 2019.
9 Canadian Radio-television and Telecommunications Commission, News Release, "CRTC steps up efforts to combat spoofed calls". December 9, 2019.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.