The Hitender Sharma was driving from Toronto to Windsor last month when he received a phone call from a private researcher who made him change his car.
The researcher told Sharma that the scammers had been kidnapped by the scammers who sought to obtain access to commercial property without mortgages that Sharma’s company owns in Mississauga. Your goal? To take advantage of millions of dollars in capital financing or selling the land.
“It was shocking,” Sharma said. “We have all the investment here, [the property] It is worth more than $ 12 million and this will disappear. “
The next day, Sharma took a copy of the Ontario Corporation record for his Holding company, which confirmed that someone had changed the director and business address in November.
It turns out that his company was not the only objective.
According to Brian King, the private researcher who called Sharma, his lot was one of the five commercial properties of the Metropolitan Area of Toronto (GTA) launched to a private lender for financing or purchase, for a group that took over companies that possess the properties at the end of last year.
In one of those cases, in which King’s firm is working, he says that the group managed to sell a property of Caledon to the unsuspecting lender for almost $ 5 million without the knowledge of the legitimate owner. For Sharma’s property, the group wanted a mortgage of $ 5 million, but did not get it.
“I suspect that there are many more,” said King, president and CEO of King International Advisory Group, which specializes in white -collar crimes. “We are studying certain records to which we now have access, and I suspect that we will find more [properties]”
Title records show that Sharma’s property is still not mortgages and has not been sold, but is still working to recover control of his holding company.
CBC Toronto has widely informed of similar frauds aimed at residential properties. In those cases, the scammers passed through the owners to obtain mortgages or sell houses from under them.
Although the objective of taking advantage of the equity of a property is the same in this scheme, the steps involved raise new questions and concerns about the security of the Ontario Business Registry.
“With the security characteristics instead, someone should not be able to enter and change someone’s corporate records,” King said. “In my opinion, it is a defect in our government system at this time to be fixed.”
The business record became digital in 2021
Almost four years ago, the Provincial Government introduced a new Ontario Digital Business Registry to facilitate “life” by allowing business owners to make changes and send presentations for their online company, 24/7.
The system also created a new security function called “company key”. Each key is a unique sequence of digits and characters assigned to a business and is used as a pin to send presentations and change its corporate registration. Since October 2021, new companies have automatically issued a key after incorporation, but older companies have to request a key, which is then sent by mail to their registered office address or email address.
CBC Toronto learned of at least five cases in which the business owners in the GTA have been attacked by scammers, who have managed to kidnap their corporations. The objective: extract effective from the properties or sell them directly.
Sharma’s company joined in 2014, so he was not issued a company key until April 2024, when his accountant requested one from the Ministry of Principal and Acquisition of Public and Business Services on behalf of his business to change his office address.
Public information, other sources used for verification
What is not clear is how the scammers involved in the kidnapping of the company holder of Sharma were able to obtain the key to their company to make changes in the corporation registry in November.
CBC Toronto asked the Ministry what information should provide an applicant to verify that he has the authority to obtain the company’s key from a corporation.
In a statement, a spokesman said that the keys are sent to the official postal address or the email address of a company if they are updated, but if they are not, there is an alternative.
“The person requesting a company key must demonstrate its connection with the business using a combination of information on the public registry and information from other internal and external sources,” said Ministry spokesman Jeffrey Stinson.
“For security purposes, the Ministry cannot provide details of the additional information that requests for applicants. These applications are reviewed by the Ministry of Precision before a company key is issued.”
But according to a step by step guide on how to request a company of the company published by the Ministry in November, if an individual claims a legal affiliation to the company, you can request that the key to your company be sent to a new email address. They can do this by providing information about who presented the last document on behalf of the company, together with the year and month that the document was presented, which can be publicly accessed.
“I have spoken with several lawyers and various law firm, and people involved in real estate and the corporate field, and many of them told me that it is very easy to obtain a corporate pin,” King said. “For them, it’s almost ridiculous.”
The Ministry says that it is not responsible for the precision of the records
Sharma reported what happened to Peel Regional Police. He has also contacted the Ministry to obtain answers on how these changes were made without their knowledge and for help to recover control of your business.
In a letter last week, the ministry told Sharma that the changes presented for his company in November were presented by a private sector service provider called Dye & Durham, and suggested contacting them so they could take the appropriate measures.
“We notice that the Ministry has no legislative authority to change any information presented by the corporations,” wrote a manager of the Commercial Registry Services of the Ministry in the Charter.
“It is the responsibility of the Corporation to ensure that the information presented to the Minister is precise and correct any inaccurate information about the public registry by presenting a change notice.”
But when Sharma contacted Dye & Durham, he says they told him that the responsibility for verification lies in the ministry. According to Sharma, Dye & Durham told him that his company functions as an online service provider, allowing anyone with the company’s key to make changes in a registry of the corporation.
“We are open to any type of fraud and there is no resource,” Sharma said after receiving the Ministry letter and contacting Dye & Durham. “Someone needs to be the guardian and, ultimately, that has to be the ministry.”
CBC Toronto communicated with Dye & Durham to clarify its role with the registration, but the company declined to comment.
The letter from the Ministry to Sharma also said that you can update the public registry of your company to correct the director and address the information with the key to your company and can regenerate a new key for security purposes.
But Sharma is not sure if he can do that at this time, and says that his lawyer has sent a letter to Dye & Durham that told them to get rid of changes in the registration of his company carried out through his system.
Exploiting weak verification
A cybersecurity senior advisor told CBC Toronto that this seems like a classic case of a group that exploits weak verification.
“It’s like locking your door and put the key under the mat,” said Rogers Cybersecure Catalyst at Toronto Metropolitan University.
He says that sending the company’s keys was a good plan because it is similar to the authentication of two factors, in which an individual has to confirm his identity using a secondary device, such as sending a code sent by text message to his cell phone. But the problem lies in the Ministry’s approach to verify a person trying to obtain a key outside that system, using security questions that include answers in the public registry.
“Security questions can often be the weakest link,” said GropP. “We are constantly balancing between safety and usability, and that is always disagreeing. The safer is something, generally the least usable is, the less easy to use.”
Recommends that the province make three changes to improve the safety of its commercial registration: abandon security questions and use multifactor authentication in place; Send alerts in real time if the corporate registration information changes; and implement a delay for changes (such as the direction of a company) so that there is time to fix them before the scammers can act.
GROPP would also like to see the government with the same security standards as other institutions, such as hospitals and banks, given the sensitive information they possess.
Meanwhile, Sharma is concerned about how others could be affected by similar fraud.
“Unless they make some changes, this will be devastating for many other families or business owners,” he said.
