Enforcing
Canada’s Anti-Spam
Legislation (CASL)

The CRTC protects consumers and businesses from the misuse of digital technology, including spam and other electronic threats and helps businesses stay competitive in a global, digital marketplace. In October 2023, the CRTC’s Chief Compliance and Enforcement Officer published details regarding an investigation into a high-volume phishing campaign, and the issuing of a penalty of $40,000 to Sami Medouni, a resident of Quebec, for his role in the campaign.

The CRTC launched its investigation after being alerted by a phone company about a potential scam affecting their customers. The investigation found that between December 22, 2020 and January 14, 2021, Mr. Medouni used fraudulently obtained telephone numbers to send over 30,000 phishing text messages to Canadians.

The phishing text messages were sent to individuals without consent from fraudulently obtained phone numbers, and they mimicked well-known brands to obtain personal data including credit card numbers, banking credentials and other sensitive information.

Consult the news release

“These phishing scams are not only a nuisance for Canadians, but they also put our personal and financial information at risk. The CRTC will continue to investigate possible violations that target Canadians.”

- Steven Harroun, Chief Compliance and Enforcement Officer, CRTC

In November, the CRTC issued a publication to help parties understand the Compliance and Enforcement review process. This information package explains to parties how these types of proceedings unfold, and how to best participate for violations under the CRTC’s legislative authorities.

When it comes to CASL violations, this package is particularly useful if a party has been the subject of a CRTC enforcement action and would like to have it adjudicated by the CRTC. Enforcement actions can include preservation demands, notices of violations, and notices to produce. While parties can apply to this review process, there is an expectation that the application to do should be well supported.

Additional details can be found in the Information Bulletin on the CRTC’s practices in Compliance and Enforcement review proceedings.

A QR code or a “quick response” code, is a type of barcode that stores information, most commonly hyperlinks, to allow quick navigation by consumers to web pages. The CRTC notes that QR codes are being reported by different organizations as a growing way to hide malicious URLs.

As such, the CRTC has recently implemented a content verification tool to detect QR codes in the spam Canadians submit to the Spam Reporting Center (SRC). This has allowed the CRTC to detect 432 QR codes associated with complaints submitted by Canadians. Of these, 49 are confirmed threats by Google Safebrowsing.

The CRTC continuously monitors the complaints submitted by Canadians to the SRC. Of note in the last 6 months, complaints have mentioned themed scams that contained malicious Excel spreadsheet and compressed file attachments. Canadians must be careful because if opened, these types of infected links can lead to the malware, spyware, and viruses being installed onto their computers.

Canadians are encouraged to follow the CRTC’s Twitter and Facebook accounts for alerts on emerging phishing and scam campaigns that are continually popping up.

During the month of December, the CRTC ran a social media campaign warning Canadians to stay vigilant during the holiday season. Typically, scammers try to capitalize at this time of the year to trick Canadians into clicking on malicious links and sharing sensitive information. The CRTC’s campaign provided Canadians with some tips and tricks to help them spot these tactics.

The CRTC reminds Canadians to continue to stay vigilant and to help us by reporting spam messages at spam@fightspam.gc.ca or using the online form.

Payments and Penalties Under CASL

Since CASL came into force in 2014, enforcement efforts have resulted in over $3.2 million issued in administrative monetary penalties^{footnote 1}.

Canadian complaints are an essential part of the intelligence the Spam Reporting Center (SRC) gathers on spam and electronic threats.

Between October 1, 2023 and March 31, 2024

Over 216,800 complaints were received by the Spam Reporting Centre.

That’s 8,338 per week.

Approximately 4,705 of these complaints were submitted using the online form, which represents only about 2.0% of total complaints. The remainder of the complaints were sent by email at spam@fightspam.gc.ca.

It is helpful to use the SRC’s online form since it provide as much information as possible about potential CASL violations.

The CRTC encourages Canadians to also report spam SMS to the SRC.

Reasons why Canadians complain

Long description:

Complaint reasons and percentages

• Lack of consent: 54%
• Indentification of sender: 17%
• Deceptive Marketing Practices: 17%
• Other: 10%
• Software and malware: 2%

Per month break down of complaints

Note: Statistics derived from spam reports filed through the SRC online form.

Long description:

Table 1

Year	Other	Consent for messages	Identification of sender	Deceptive Marketing Practices	Software and malware	Grand Total
2023-10	113	678	183	197	25	1196
2023-11	111	638	159	166	10	1084
2023-12	98	555	167	160	14	994
2024-1	139	613	243	239	16	1250
2024-2	132	656	226	226	13	1253
2024-3	118	651	225	205	20	1219
Grand Total	711	3791	1203	1193	98	6996

The CRTC works with members from over 26 countries to fulfill its mandate, to promote international cooperation and address problems relating to spam and unsolicited communication.