How to Use Guided Access On iPhone and iPad
With Guided Access on iOS, you can temporarily restrict your iPhone or iPad to a single app. This can be useful when you let a child use your device.
CRA Duped as Hackers Invent ‘Tomato Street’ to Claim Millions in Refunds
The Canada Revenue Agency (CRA) paid over $6 million in fraudulent tax refunds this year after hackers apparently used stolen credentials from H&R Block Canada.
Fraudsters accessed personal CRA accounts, changed direct deposit details, and filed fake returns to steal public funds—without the public ever being told, reports CBC News.
The scheme was uncovered by The Fifth Estate and Radio-Canada, revealing how imposters manipulated the CRA system during peak tax season. Hackers managed to file returns with fake addresses—one even listed a non-existent “Tomato Street” (not a joke)—but with legitimate postal codes to bypass detection. This allowed the scammers to funnel tax refunds into accounts they controlled.
H&R Block denied that the breach originated from their systems, stating that an internal investigation found no compromise in their software or security. Meanwhile, the CRA has refused to explain how the credentials were stolen or when it first learned about the attack.
Sources tell CBC News that the CRA only caught the fraud after noticing unusual activity on the dark web, where stolen data was being offered for sale. By the time the scam was stopped, hackers had collected millions, and auditors had flagged several unrelated refunds going to the same bank account.
The CRA was tricked into paying out over $6 million in bogus refunds in 2024, before it figured out something was wrong and stopped an extra $14 million from being sent out to fraudsters, according to CRA auditors.
Update: the CBSA was responsible for ArriveCan, not the CRA as previously stated in error.
Despite the loss, neither the CRA nor Revenue Minister Marie-Claude Bibeau disclosed the breach to the public. Bibeau declined interview requests, and her office did not comment on when she was briefed about the issue. Critics argue that transparency was sacrificed to avoid public scrutiny.
The CRA has reported a surge in privacy breaches since the COVID-19 pandemic, with over 31,000 incidents affecting 62,000 taxpayers since 2020. Officials said the increase is due to more aggressive cyberthreats, but many breaches were only reported retroactively, leaving parliament and the public uninformed for years.
The breach involving H&R Block is just one example of the CRA’s growing struggle to keep up with fraud. Insiders say the agency’s “pay and chase” approach—issuing refunds quickly and catching mistakes later—has left the system wide open to exploitation. As of 2024, there are 59,155 employees within the CRA, out of a total 367,772 total federal government employees.
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
Other articles in the category: News
Transit Cape Breton Is Rolling Out Tap Payments and Ditching Fare Zones
Cape Breton's public transit system is getting a big overhaul starting June 15, and the biggest change is how you pay. Transit Cape Breton is launching a new fare payment system it announced this week, leveraging the Umo system, which ditches the old fare zones in favour of a flat $2.50 one-way fare anywhere in...
How to Back Up Your iPhone or iPad with Your Mac
Apple has shared a handy tutorial video on its YouTube channel, detailing how you can back up your iPhone or iPad with your Mac using the Finder.
Mr. Austin Blake: the CRA was not responsible for implementing the CanArrive app.
The agency you were looking for is the CBSA.
A bit of critical thinking would have alerted you that the taxation agency is not responsible for entry to the country.
Clearly the people who work here lack this basic journalist skill
The article linked mentions nothing about the CRA, because it was the CBSA.
A little research goes a long way. Maybe journalists should try it some time or hire someone who knows how to do a basic web search before spreading false information.
This website is becoming a sesspool of misinformation and lazy journalism. Very sad