Enforcing
Canada’s Anti-Spam
Legislation (CASL)

In today’s digital society, no one is immune to phishing attacks. Canadians need to stay vigilant as threat actors develop new tools and techniques to take advantage while at the same time try to evade detection from law enforcement.

Phishing attempts are often generic mass messages, but the message appears to be legitimate and from a trusted source (such as from a bank or courier company).

Large-scale Bank Phishing Investigation

In January 2023, the CRTC’s Compliance and Enforcement team executed warrants to simultaneously search four dwellings in the Greater Montreal Area as part of an investigation into a series of large-scale bank phishing campaigns targeting Canadians and financial institutions in Canada. This was the largest search operation to date for the CRTC and involved significant coordination and support from local law enforcement agencies.

The investigation was initiated following reports from financial institutions and submissions by Canadians to the Spam Reporting Centre (SRC). Phishing activity is growing in complexity as new tools and techniques are used by threat actors to steal personal information, send phishing emails and text messages, and compromise accounts on a large scale and with little effort.

Canadian are encouraged to continue to report spam and suspicious practices to spam@fightspam.gc.ca or by using the SRC’s online form.

Using social media to warn Canadians

Canadians can follow the CRTC’s Twitter and Facebook accounts for alerts on emerging phishing and scam campaigns that are continually popping up.

In late 2022, the CRTC alerted Canadians to an ongoing text message spam that was circulating. They were warned not to click on the link if they received a text message referring to Canada’s Anti-Spam Legislation (CASL) and a judgment awarding money to victims of illegal text message spamming.

In early 2023, the CRTC’s SRC received complaints about emails containing malicious OneNote attachments.  If opened, the attachments could compromise their computer, mobile phone, or even steal their personal information. The CRTC acted quickly to warn Canadians to be on the lookout for these emails appearing to come from an oil or gas company, and to avoid opening the attachments. The CRTC also retweeted a similar warning by the  Canadian Cyber Center about this campaign.

At the end of March, the CRTC retweeted a Canadian Anti-Fraud Centre  warning of reports of phishing text messages claiming to be from the Canadian Revenue Agency (CRA) which included real CRA phone numbers to make the message look legitimate.

The CRTC continues to encourage Canadians to stay vigilant and to report spam messages, or infected Web links that install malware, spyware, and viruses onto their computers.

“It’s important for Canadians to know that the CRTC only uses credible channels such as our official website and social media accounts to share information and to warn Canadians about phishing campaigns and scams.  And that as a government agency, the CRTC DOES NOT send messages directly to devices.”

- Steven Harroun, Chief Compliance and Enforcement Officer, CRTC

Payments and Penalties Under CASL

Since CASL came into force in 2014, compliance and enforcement efforts have resulted in administrative monetary penalties^{Footnote 1} and undertakings totalling over $3.6 million.

Between October 1, 2022 and March 31, 2023

Over 176,706 complaints to the Spam Reporting Centre.

That’s 6,796 per week.

Approximately 4,577 of these complaints were submitted using the online form, which represents only about 2.6% of total complaints. The remainder of complaints were sent by email at spam@fightspam.gc.ca.

The CRTC encourages Canadians to use the SRC’s online form to provide as much information as possible about potential CASL violations. The information provided by Canadians is an essential part of the intelligence the SRC gathers on spam and electronic threats. Each report is valuable and helps us to enforce CASL.

SRC Database Updates

The SRC continues to make updates and enhancements to the database to help identify cyber threat actors. More specifically, the SRC has added several new features that allow us and our partners to make better use of available data, enhance data retention, search with greater precision, display the date as needed, and to navigate the system more easily.

Reasons why Canadians complain

Long description:

Complaint reasons and percentages

• Lack of consent: 48%
• Indentification of Sender: 19%
• Deceptive Marketing Practices: 20%
• Other: 10%
• Software and Malware: 2%

Note: The total does not add to 100% since Canadians can select more than one category for a complaint.

Per month break down of complaints

Note: Statistics derived from spam reports filed through the SRC online form.

Long description:

Table 1

Year-month	Lack of Consent	Deceptive Marketing Practices	Identification of Sender	Other	Software and malware	Grand Total
2022-10	738	294	346	160	23	1561
2022-11	788	357	366	164	27	1702
2022-12	643	260	247	136	23	1309
2023-1	734	381	340	156	21	1632
2023-2	650	233	206	136	23	1248
2023-3	620	214	204	132	27	1197
Grand Total	4173	1739	1709	884	144	8649

Collaboration with International Partners

For the first time, regulators from Canada, Australia, Ireland, Hong Kong and the United States met in person in the fall of 2022 to find better ways to combat scams.

Hosted by the CRTC, the Combating Scam Communications meeting was an opportunity to share strategic insights on current initiatives and cross-border enforcement challenges. Participants also explored opportunities for greater international collaboration to disrupt scam communications.

Representatives from the five countries agreed to continue their collaboration and share strategic information. They will also seek engagement from other regulatory agencies in jurisdictions that may be the source of or suffering from scam communications.

This meeting builds on an existing collaboration between regulators through the Unsolicited Communications Enforcement Network (UCENet) and the strong bilateral relationships between many global regulatory agencies.

“The purpose of the UCENet is to promote international spam enforcement cooperation and address related issues, such as online fraud and deception, phishing and the spreading of computer viruses.”

- Steven Harroun, Chief Compliance and Enforcement Officer, CRTC

The CRTC works with members from over 26 countries to fulfill its mandate, to promote international cooperation and address problems relating to spam and unsolicited communication.