Enforcing
Canada’s Anti-Spam
Legislation (CASL)

Actions carried out by the CRTC between
April 1, 2022 and September 30, 2022

View previous or next time period

Enforcement Highlights

Policy to help limit botnet traffic and strengthen Canadians’ online safety

Botnets facilitate some of the most damaging cyber-attacks, including ransomware and identity theft. These attacks cause significant harm to Canadians, businesses and organizations that provide critical services such as hospitals, schools and government bodies.

In June 2022, the CRTC found that regulatory action was necessary to ensure that Canadian carriers who block botnets do so in a way that provides a baseline level of protection to Canadians.

The CRTC’s Decision on this matter established the overarching guiding principles for a future network-level botnet-blocking framework.  The CRTC requested that the CRTC’s Interconnection Steering Committee (CISC) examine developing technical parameters that are consistent with the guiding principles and produce a report for the CRTC detailing its recommendations.  After this, the CRTC intends to establish standards for botnet blocking.

Innovative solutions to Compliance and Enforcement

While the CRTC employs traditional enforcement tools, it is also open to innovative approaches to bring businesses and individuals into compliance if it deems the circumstances are warranted.   

In the previous Bi-annual Canadian Spam Report, the CRTC addressed its investigation of four Canadians for their involvement in a Dark Web Marketplace known as CanadianHQ.  Since then, the CRTC has negotiated ways that some individuals can give back to contribute to a safer and more secure online marketplace for Canadians and businesses alike in the community.  These innovative solutions include completing volunteer work, donating to a charity related to a safer and more secure online marketplace, doing presentations to deter youth from cybercrime and for a certain period giving the CRTC unfettered access to electronic devices upon request for inspection.

CRTC Stays Vigilant over the QAKBOT

CRTC staff continue to monitor malware, spyware and viruses in computer programs or spam messages, or infected Web links. Thanks to Canadians who take the time to report complaints to the CRTC, the CRTC now has some specific examples of QAKBOT links for its analysis and investigations.

The CRTC warns Canadians that the QAKBOT is a modular and highly evasive information-stealing malware that can lead to targeted attacks involving theft and ransomware. The QAKBOT infection chain usually starts with a malicious spam email and the infection spreads from there.

Enforcement Measures

Enforcement measures infographic
Long description:
  • 3 Warning Letters
  • 214 Notices to Produce
  • 4 Undertakings
  • 1 Notice of Violation
  • 2 Preservation Demands
  • 1 Decision

Payments and Penalties Under CASL

Since CASL came into force in 2014, enforcement efforts have resulted in more than $1.9 million payable. Of this amount, approximately $1.1 million is from administrative monetary penaltiesFootnote 1 and $685,000 from negotiated undertakings.

Complaints to the Spam Reporting Centre (SRC)

Between April 1, 2022 and September 30, 2022

Over 167,939 complaints to the Spam Reporting Centre

Over 159,101 complaints to the Spam Reporting Centre.

That’s 6,119 per week.

Approximately 5,066 of these complaints were submitted using the online form, which represents only about 3.2% of total complaints. The remainder of complaints were sent by email at spam@fightspam.gc.ca.

The CRTC encourages Canadians to use the SRC’s online form to provide as much information as possible about potential CASL violations. The information provided by Canadians is an essential part of the intelligence the SRC gathers on spam and electronic threats. Each report is valuable and helps us to enforce CASL.

SRC Database Updates

The SRC can now process PDF documents that have been provided by Canadians as part of their complaints.   This enhancement helps the CRTC in its ability to identify malicious PDF campaigns for investigation.  These types of campaigns target Canadians by sending them an infected PDF as an email attachment which, when opened, can be used to evade detection, embed malicious files, load remote exploits, and shellcode encryption.   This can then allow an attacker to run malware under the radar without the victim knowing.

Canadians need to watch out for POP-UP, CALL, SPAM EMAIL or any other urgent message about a virus on their computer.

Sources of spam (reported through online form)

Sources of spam chart
Sources of spam legend
Long description:
  • Email: 57%
  • Text message (SMS): 32%
  • Instant message (IM): 2%
  • Unspecified: 9%

SMS spam (reported through online form)

Sources of spam chart
Sources of spam legend
Long description:
  • Phishing: 57%
  • Other/Unknown: 20%
  • Commercial: 13%
  • Scams: 6%
  • Affiliate Marketing: 3%

Reasons why Canadians complain

Reasons why Canadians complain chart
Long description:

Complaint reasons and percentages

  • Lack of consent: 47%
  • Indentification of Sender: 21%
  • Deceptive Marketing Practices: 19%
  • Other: 12%
  • Software and Malware: 2%

Note: The total does not add to 100% since Canadians can select more than one category for a complaint.

Per month complaints about consent highest in August 2022

Looking at submissions from Canadians to the SRC over the last 6 months, per month complaints were at their highest in August 2022. Moreover, complaints in each of the categories were also at their highest in August and almost double that compared to some of the months during the previous reporting period.

Complaints about consent chart
Complaints about consent chart legend

Note: Statistics derived from spam reports filed through the SRC online form.

Long description:
Year-Month Lack of consent Deceptive Marketing Practices Identification of Sender Other Software and Malware Grand Total
2022-4 732 330 346 186 29 1623
2022-5 698 299 323 150 40 1510
2022-6 602 224 242 140 17 1225
2022-7 613 232 273 158 13 1289
2022-8 1223 475 540 316 42 2596
2022-9 703 303 314 182 22 1524
Grand Total 4571 1863 2038 1132 163 9767

Top 5 commercial and affiliate marketing complaints

Graphic of the top five categories of affiliate marketing messages

The top five categories of commercial and affiliate marketing messages reported to the SRC relate to: (1) Online Shopping (2) Business to Business (3) Food, Drug & Health (4) Home, Auto & Real Estate (5) Software & Technology.

Note: Statistics derived from spam reports filed through the SRC online form.

Long description:

Top 5

  1. Online Shopping
  2. Business to Business
  3. Food, Drug & Health
  4. Home, Auto & Real Estate;
  5. Software & Technology

Outreach

Outreach and engagement activities are a critical means to help legitimate businesses, including marketers, email senders, and other small and medium businesses, with their compliance efforts under CASL.  It also helps educate.

During this reporting period, as a trusted-source partner, the CRTC Compliance and Enforcement staff were able to work to:

  • help take down some Cloud Storage domains (i.e., registered websites) that were facilitating violations of Canada’s anti-spam legislation;
  • establish some new data source partners as a means to enhance the identification of  suspected malicious actors operating malware campaigns; and
  • educate law enforcement and banking security personnel to beware of suspicious trends and behaviors in the marketplace. 

In September 2022, the CRTC’s Chief Compliance and Enforcement Officer, Steven Harroun, was a guest speaker at this year’s Canadian email Summit. During his fireside chat with attendees, Steven promoted compliance with the relevant CASL laws and regulations through education and encouragement to comply.  At the same time, he explained that where necessary, the CRTC would enforce their application through traditional or innovative approaches.

Collaboration with International Partners

The CRTC has also forged partnerships with organizations across the globe in order to better fulfill its mandate. The CRTC is part of the Unsolicited Communications Enforcement Network (UCENet). Members from over 26 countries work together to promote international spam enforcement cooperation and address problems relating to spam and unsolicited telecommunications.

Agreements with International Partners world map
Long description:

Canada (CA)

Memorandum of Understanding:

Enforcement Collaboration:

United States (US)

Memorandum of Understanding:

Enforcement Collaboration:

United Kingdom (UK)

Memorandum of Understanding:

Information Commissioner’s Office (ICO)

Japan (JP)

Memorandum of Understanding:

Ministry of Internal Affairs and Communications

Australia (AU)

Memorandum of Understanding:

Australian Communications and Media Authority (ACMA)

Enforcement Collaboration:

Australian Federal Police (AFP)

New Zealand (NZ)

Memorandum of Understanding:

Department of Internal Affairs (DIA)

Useful Resources

Are you still receiving spam?

Report it and we’ll have a look.

Date modified: