Hitender Sharma was driving from Toronto to Windsor last month when he got a phone call from a private investigator that made him turn his car around.
The investigator told Sharma his holding company had been hijacked by fraudsters looking to gain access to the mortgage-free commercial property Sharma’s company owns in Mississauga. Their aim? To cash in on millions of dollars in equity by financing or selling the land.
“It was shocking,” said Sharma. “We have all the investment here, [the property] is worth more than maybe $12 million and this will disappear.”
The next day, Sharma pulled a copy of the Ontario corporation record for his holding company, which confirmed that someone had changed the director and address of the business in November.
It turns out, his company wasn’t the only target.
According to Brian King, the private investigator who called Sharma, his lot was one of five Greater Toronto Area (GTA) commercial properties pitched to a private lender for financing, or purchase, by a group that took over companies that own the properties late last year.
In one of those cases, which King’s firm is working on, he says the group succeeded in selling a Caledon property to the unsuspecting lender for nearly $5 million without the rightful owner’s knowledge. For Sharma’s property, the group wanted a $5-million mortgage, but didn’t get it.
“I suspect there are many more,” said King, president and CEO of King International Advisory Group, which specializes in white collar crime. “We’re poring through certain records that we now have access to, and I do suspect we’re going to find more [properties].”
Title records show Sharma’s property remains mortgage-free and hasn’t been sold — but he’s still working to regain control of his holding company.
CBC Toronto has reported extensively on similar frauds targeting residential properties. In those cases, fraudsters impersonated the homeowners to obtain mortgages or sell houses out from under them.
Although the goal of leveraging equity from a property is the same in this scheme, the steps involved raise new questions and concerns about the security of the Ontario Business Registry.
“With security features in place, someone shouldn’t be able to go in and change someone’s corporate records,” said King. “In my mind, it’s a bit of a flaw in our government system right now that needs to be fixed.”
Nearly four years ago, the provincial government introduced a new digital Ontario Business Registry to make “life easier” by allowing business owners to make changes and submit filings for their company online, 24/7.
The system also created a new security feature called a “company key.” Each key is a unique sequence of digits and characters assigned to a business and used like a PIN to submit filings and change their corporate record. Since October 2021, new companies have been automatically issued a key after incorporating, but older businesses have to request a key, which is then mailed to their registered office address or email address.
The multimillion dollar fraud scheme targeting owners of commercial properties
Sharma’s company was incorporated in 2014, so he wasn’t issued a company key until April 2024, when his accountant requested one from the Ministry of Public and Business Service Delivery and Procurement on behalf of his business in order to change its office address.
What’s unclear is how the fraudsters involved in hijacking Sharma’s holding company were able to get his company key to make changes to the corporation record in November.
CBC Toronto asked the ministry what information a requester needs to provide to verify they have authority to get a corporation’s company key.
In a statement, a spokesperson said the keys are sent to the official mailing address or email address of a business if those are up-to-date, but if they aren’t, there’s an alternative.
“The person applying for a company key must demonstrate their connection to the business using a combination of information on the public record and information from other internal and external sources,” said ministry spokesperson Jeffrey Stinson.
“For security purposes, the ministry cannot provide details of the additional information it requests from applicants. These requests are reviewed by the ministry for accuracy before a company key is issued.”
But according to a step-by-step guide on how to request a company key published by the ministry in November, if an individual claims a legal affiliation to the company, they can request its company key be sent to a new email address. They can do this by providing information on who filed the last document on behalf of the company — along with the year and month the document was filed, which is publicly accessible.
“I’ve talked to a number of lawyers and various law firms, and people involved in the real estate and the corporate field, and many of them told me that it is so easy to get a corporate PIN,” said King. “To them, it’s almost laughable.”
Sharma reported what happened to Peel Regional Police. He has also contacted the ministry for answers on how these changes were made without his knowledge and for help regaining control of his business.
In a letter last week, the ministry told Sharma the changes filed for his company in November were submitted by a private sector service provider called Dye & Durham, and suggested contacting them so that they can take appropriate action.
“We note that the Ministry has no legislative authority to change any information filed by corporations,” wrote a manager from the ministry’s business registry services branch in the letter.
“It is the responsibility of the Corporation to ensure that the information filed with the Minister is accurate, and to correct any inaccurate information on the public record by filing a Notice of Change.”
But when Sharma contacted Dye & Durham, he says they told him that responsibility for verification lies with the ministry. According to Sharma, Dye & Durham told him their company functions as an online service provider, which allows anyone with the company key to make changes to a corporation record.
“We are open to any kind of fraud and there’s no recourse,” said Sharma after receiving the ministry’s letter and contacting Dye & Durham. “Someone needs to be the gatekeeper, and ultimately that has to be the ministry.”
CBC Toronto reached out to Dye & Durham to clarify its role with the registry, but the company declined to comment.
The ministry’s letter to Sharma also said he can update his company’s public record to correct the director and address information with his company key and can regenerate a new key for security purposes.
But Sharma remains unsure whether he can do that at this point, and says his lawyer has sent a letter to Dye & Durham instructing them to undo the changes to his company record made through their system.
A senior cybersecurity adviser told CBC Toronto this looks like a classic case of a group exploiting weak verification.
“It’s kind of like locking your door and putting the key under the mat,” said Mike Gropp from the Rogers Cybersecure Catalyst at Toronto Metropolitan University.
He says mailing out company keys was a good plan because it’s similar to two-factor authentication, in which an individual has to confirm their identity using a secondary device, like by submitting a code texted to their cell phone. But the problem lies with the ministry’s approach to verifying a person trying to get a key outside of that system — by using security questions that include answers on the public record.
“Security questions can often be the weakest link,” said Gropp. “We’re constantly balancing between security and usability, and those are always at odds. The more secure something is, typically the less usable it is, the less user-friendly.”
He recommends that the province make three changes to improve security of its business registry: ditch security questions and use multi-factor authentication instead; send real-time alerts if corporate record information changes; and implement a delay for changes (like to a company’s directorship) so there’s time to fix them before fraudsters can act.
Gropp would also like to see the government held to the same security standards as other institutions, like hospitals and banks, given how much sensitive information they hold.
In the meantime, Sharma is worried about how others could be impacted by similar fraud.
“Unless they make some changes, this will be devastating for many other families or business owners,” he said.
