Fraudsters hijacked GTA man's company record, tried to mortgage its $12M property for cash

Hitender Sharma was driving from Toronto to Windsor past period erstwhile helium got a telephone telephone from a backstage researcher that made him crook his car around.

The researcher told Sharma his holding institution had been hijacked by fraudsters looking to summation entree to the mortgage-free commercialized spot Sharma's institution owns successful Mississauga. Their aim? To currency successful connected millions of dollars successful equity by financing oregon selling the land.

"It was shocking," said Sharma. "We person each the concern here, [the property] is worthy much than possibly $12 cardinal and this volition disappear."

The adjacent day, Sharma pulled a transcript of the Ontario corp grounds for his holding company, which confirmed that idiosyncratic had changed the manager and code of the concern successful November.

It turns out, his institution wasn't the lone target. 

According to Brian King, the backstage researcher who called Sharma, his lot was 1 of 5 Greater Toronto Area (GTA) commercialized properties pitched to a backstage lender for financing, oregon purchase, by a radical that took implicit companies that ain the properties precocious past year.

In 1 of those cases, which King's steadfast is moving on, helium says the radical succeeded successful selling a Caledon spot to the unsuspecting lender for astir $5 cardinal without the rightful owner's knowledge. For Sharma's property, the radical wanted a $5-million mortgage, but didn't get it.

"I fishy determination are galore more," said King, president and CEO of King International Advisory Group, which specializes successful achromatic collar crime. "We're poring done definite records that we present person entree to, and I bash fishy we're going to find much [properties]."

Title records amusement Sharma's spot remains mortgage-free and hasn't been sold — but he's inactive moving to regain power of his holding company.

CBC Toronto has reported extensively connected akin frauds targeting residential properties. In those cases, fraudsters impersonated the homeowners to get mortgages oregon merchantability houses retired from nether them.

Although the extremity of leveraging equity from a spot is the aforesaid successful this scheme, the steps progressive rise caller questions and concerns astir the information of the Ontario Business Registry.

"With information features successful place, idiosyncratic shouldn't beryllium capable to spell successful and alteration someone's firm records," said King. "In my mind, it's a spot of a flaw successful our authorities strategy close present that needs to beryllium fixed."

Business registry went integer successful 2021

Nearly 4 years ago, the provincial authorities introduced a caller integer Ontario Business Registry to marque "life easier" by allowing concern owners to marque changes and taxable filings for their institution online, 24/7. 

The strategy besides created a caller information diagnostic called a "company key." Each cardinal is simply a unsocial series of digits and characters assigned to a concern and utilized similar a PIN to taxable filings and alteration their firm record. Since October 2021, caller companies person been automatically issued a cardinal aft incorporating, but older businesses person to petition a key, which is past mailed to their registered bureau code oregon email address.

WATCH | How fraudsters took power of this GTA businessman's land: 

Sharma's institution was incorporated successful 2014, truthful helium wasn't issued a institution cardinal until April 2024, erstwhile his accountant requested 1 from the Ministry of Public and Business Service Delivery and Procurement connected behalf of his concern successful bid to alteration its bureau address.   

Public information, different sources utilized for verification 

What's unclear is however the fraudsters progressive successful hijacking Sharma's holding institution were capable to get his institution cardinal to marque changes to the corp grounds successful November.

CBC Toronto asked the ministry what accusation a requester needs to supply to verify they person authorization to get a corporation's institution key.

In a statement, a spokesperson said the keys are sent to the authoritative mailing code oregon email code of a concern if those are up-to-date, but if they aren't, there's an alternative.

"The idiosyncratic applying for a institution cardinal indispensable show their transportation to the concern utilizing a operation of accusation connected the nationalist grounds and accusation from different interior and outer sources," said ministry spokesperson Jeffrey Stinson.

"For information purposes, the ministry cannot supply details of the further accusation it requests from applicants. These requests are reviewed by the ministry for accuracy earlier a institution cardinal is issued."

But according to a step-by-step usher connected however to petition a institution cardinal published by the ministry successful November, if an idiosyncratic claims a ineligible affiliation to the company, they tin petition its institution cardinal beryllium sent to a caller email address. They tin bash this by providing accusation connected who filed the past papers connected behalf of the institution — on with the twelvemonth and period the papers was filed, which is publically accessible.

"I've talked to a fig of lawyers and assorted instrumentality firms, and radical progressive successful the existent property and the firm field, and galore of them told maine that it is truthful casual to get a firm PIN," said King. "To them, it's astir laughable."

Ministry says its not liable for accuracy of records 

Sharma reported what happened to Peel Regional Police. He has besides contacted the ministry for answers connected however these changes were made without his cognition and for assistance regaining power of his business.

In a missive past week, the ministry told Sharma the changes filed for his institution successful November were submitted by a backstage assemblage work supplier called Dye & Durham, and suggested contacting them truthful that they tin instrumentality due action. 

"We enactment that the Ministry has nary legislative authorization to alteration immoderate accusation filed by corporations," wrote a manager from the ministry's concern registry services subdivision successful the letter. 

"It is the work of the Corporation to guarantee that the accusation filed with the Minister is accurate, and to close immoderate inaccurate accusation connected the nationalist grounds by filing a Notice of Change."

But erstwhile Sharma contacted Dye & Durham, helium says they told him that work for verification lies with the ministry. According to Sharma, Dye & Durham told him their institution functions arsenic an online work provider, which allows anyone with the institution cardinal to marque changes to a corp record.

"We are unfastened to immoderate benignant of fraud and there's nary recourse," said Sharma aft receiving the ministry's missive and contacting Dye & Durham. "Someone needs to beryllium the gatekeeper, and yet that has to beryllium the ministry."

CBC Toronto reached retired to Dye & Durham to clarify its relation with the registry, but the institution declined to comment.

The ministry's missive to Sharma besides said helium tin update his company's nationalist grounds to close the manager and code accusation with his institution cardinal and tin regenerate a caller cardinal for information purposes. 

But Sharma remains unsure whether helium tin bash that astatine this point, and says his lawyer has sent a missive to Dye & Durham instructing them to undo the changes to his institution grounds made done their system. 

Exploiting anemic verification

A elder cybersecurity advisor told CBC Toronto this looks similar a classical lawsuit of a radical exploiting weak verification.

"It's benignant of similar locking your doorway and putting the cardinal nether the mat," said Mike Gropp from the Rogers Cybersecure Catalyst at Toronto Metropolitan University. 

He says mailing retired institution keys was a bully program due to the fact that it's akin to two-factor authentication, successful which an idiosyncratic has to corroborate their individuality utilizing a secondary device, similar by submitting a codification texted to their compartment phone. But the occupation lies with the ministry's attack to verifying a idiosyncratic trying to get a cardinal extracurricular of that strategy — by utilizing information questions that see answers connected the nationalist record.

"Security questions tin often beryllium the weakest link," said Gropp. "We're perpetually balancing betwixt information and usability, and those are ever astatine odds. The much unafraid thing is, typically the little usable it is, the little user-friendly."

He recommends that the state marque 3 changes to amended information of its concern registry: ditch information questions and usage multi-factor authentication instead; send real-time alerts if firm grounds accusation changes; and instrumentality a hold for changes (like to a company's directorship) truthful there's clip to hole them earlier fraudsters tin act.

Gropp would besides similar to spot the authorities held to the aforesaid information standards arsenic different institutions, similar hospitals and banks, fixed however much sensitive accusation they hold. 

In the meantime, Sharma is disquieted astir however others could beryllium impacted by akin fraud.

"Unless they marque immoderate changes, this volition beryllium devastating for galore different families oregon concern owners," helium said.