Jun 06 2007
By Kurt Seifried (kurt@seifried.org)
So first a little background: I got married about 6 months ago.
So my wife gets a phone call to her cell phone from someone at the Canada Revenue Agency (”CRA,” the canadian version of the IRS) looking for “Mr. Kurt Smith” (Smith being her maiden name for the purposes of this story). The caller wants to confirm my mailing address and some other details. Now this doesn’t make a whole lot of sense since my name is normally “Kurt Seifried” (it’s what all my underwear says) and my accountant usually acts as my interface to the CRA.
Sound familiar? Sort of like.. you know, a phishing email?
So my wife won’t give them the information (that’s my girl!) and takes a message. Being the type of person I am I plug the phone number they left to call into Google. No result. That’s not normal, Google usually knows about any phone number of interest (you know, like anything that has even been listed in a web page under “contact us”). But I’m game; let’s see how far down the rabbit hole this goes.
I call the number, and actually get a human being right away, this raises some red flags, I mean really, who gives out their direct line when they work for one of the largest most bureaucratic institutions known to man kind? She confirms I am Mr. Kurt Smith (sort of, I give her my real last name) and promptly asks for my Social Insurance Number (again our version of the SIN). It’s obvious she’s used to getting her way, because when I say “no” she almost launches into the standard “I’m just looking up your account details, please wait a moment” before realizing that I said “no” to her.
In the spirit of playing along with this I ask her to prove she works for the Canada Revenue Agency, although how on earth you would prove that over the phone is beyond me. Turns out she’s stumped as well. So I gently suggest that she tell me what department to contact and I’ll find the phone number through a trusted source (like the phone book) and call them back at the main number. She seems ok with this and reads off a 1-800 number and says she has put a note on my file about this.
The 1-800 number she gives me is legitimate and listed on the CRA web site under “contact us” which says to me I either got a really ballsy scam artists, or the CRA’s procedures for contacting people and getting information from them really sucks. So right now we have either a case of a pretty good phishing attempt, or a severely dysfunctional government agency. Any guesses as to which one it is?
Yup, as it turns out CRA regularly contacts people via phone and asks them for their Name, Social Security Number, current address, birth date and other particulars in order to confirm them. In other words they are training people to be identity theft victims. Good job.
The Privacy Commissioner was contacted, however it’s late and they won’t reply until later today, at which time (assuming they reply) this article will be updated.
Related posts:
Posted by Kurt.Seifried on Wednesday, June 6th, 2007, at 12:18 am, and filed under Articles.
Follow any responses to this entry with the RSS 2.0 feed.
You can post a comment, or trackback from your site.
Beth | 09-Nov-07 at 7:13 am | Permalink
Did you ever hear back from CRA regarding their practice of contacting people over the phone to request/confirm SIN and other details?