Inside Canada's Online Fraud Crisis: $704 Million Reported. The Real Number Is Up to $14 Billion.

Laura MacNutt runs a vintage clothing store in Halifax called KingsPIER Vintage. Customers bought luxury items through her Shopify store, picked them up in person, and then filed chargebacks through their banks. She lost the merchandise. She lost the revenue. And Shopify charged her a $15 fraud fee on top — per transaction. The purchases were never flagged as suspicious (CBC News Nova Scotia, February 2025).

In Burnaby, BC, Dan and Brigitte Loik followed every fraud prevention rule in the book for their restaurant equipment business. They were still left holding $23,000 in losses. The banks sided with the buyers. An expert quoted in the CBC investigation noted awareness of "entrepreneurs that have lost tens of thousands of dollars to chargebacks, driving them out of business" (CBC News, November 2021).

In March 2024, thieves backed a white Freightliner into a Delta, BC warehouse at 1:01 AM and drove away with a shipping container holding 150 Biktrix electric bicycles valued at $500,000 — including 8 prototype models not yet on the market. The container was found empty near the US border. The CEO estimated $4 million in lost revenue by year's end (CBC; Global News, March 2024).

These are not edge cases. They are the norm. And they are the reason this investigation exists.

The Number Canada Doesn't Track

In 2025, Canadians reported $704 million in fraud losses to the Canadian Anti-Fraud Centre. That is a record. It is a more than 300% increase from $165 million in 2020. It has grown every single year without exception (CAFC annual reports, 2020–2025).

Here is what that trajectory looks like:

Sources: CAFC 2024 Annual Statistical Report; Canada.ca Fraud Prevention Month releases (2025, 2026); Investment Executive (2025).

Now here is the part that changes the entire picture.

The CAFC itself — the federal agency whose sole job is tracking fraud — estimates that only 5–10% of fraud victims actually report. This is not an outside estimate. This is the agency's own published assessment. Statistics Canada's 2019 General Social Survey corroborates it: only 11% of fraud victims reported to police.

Apply the CAFC's own multiplier to its own numbers:

Between $7 billion and $14 billion a year. That is not speculation. That is the CAFC's own reporting-rate estimate applied to the CAFC's own loss figures. Cumulative reported losses since 2022 exceed $2.4 billion — which means actual cumulative losses may exceed $24 billion.

In 2024, the CAFC received 108,878 fraud reports and identified 34,621 confirmed victims. Identity fraud was the single most reported type in both 2024 and 2025 (CAFC; OPP). The top three categories by dollar loss in 2024 were investment fraud ($310.6 million), spear phishing ($67.3 million), and romance scams ($58.4 million).

TransUnion Canada's 2025 survey of 200 Canadian companies found something even larger: Canadian businesses reported losing the equivalent of 7.2% of revenues to fraud — totalling $111 billion, up 42% from $78 billion in 2024 (TransUnion Canada Newsroom, 2025). That number includes all fraud types — not just what reaches the CAFC.

Every Adult Canadian's Identity Is Already Compromised

This is the finding that no Canadian news outlet has connected into a single narrative. Three data breaches — all in 2019 — exposed the personal information of more Canadians than there are adults in the country.

Desjardins Group — 9.7 Million Members

Disclosed June 20, 2019. A single employee in Desjardins' marketing department exfiltrated data over approximately 26 months. Initially reported as 2.9 million members, it was revised in November 2019 to the entire membership: 9.7 million people. At the time, Canada's population was 37.6 million. That is roughly 1 in 4 Canadians.

Data exposed: names, dates of birth, Social Insurance Numbers, addresses, phone numbers, email addresses, transaction histories, and banking habits (OPC/CAI joint investigation, January 2020). Desjardins settled a class action for $200.9 million — the largest data breach settlement in Canadian history. Reports emerged in 2020 that stolen data had appeared on dark web marketplaces. The breach was a significant catalyst for Quebec's Law 25 privacy legislation.

Capital One — 6 Million Canadians (Including ~1 Million SINs)

Disclosed July 29, 2019. Paige Thompson, a former Amazon Web Services employee, exploited a misconfigured firewall. Approximately 6 million Canadians had data exposed, including approximately 1 million Canadian Social Insurance Numbers — one of the largest SIN exposures in a single breach. Thompson was convicted in June 2022 on seven federal charges (US v. Paige A. Thompson, W.D. Washington). Capital One paid an $80 million USD fine and settled a class action for $190 million USD.

LifeLabs — 15 Million Canadians

Disclosed December 17, 2019. Canada's largest community laboratory testing company was hit by a cyberattack. Approximately 15 million Canadians had data exposed — names, addresses, dates of birth, health card numbers, and lab test results. LifeLabs confirmed it paid a ransom to retrieve the data. The joint investigation by the Information and Privacy Commissioners of Ontario and British Columbia found LifeLabs had "failed to take reasonable steps to protect personal health information" — specifically citing inadequate encryption and insufficient network segmentation.

The Cumulative Math

Canada has approximately 31 million adults. These three breaches alone exposed:

• Desjardins: 9.7 million records (including SINs)
• Capital One: 6 million records (including ~1 million SINs)
• LifeLabs: 15 million records (including health card numbers)

That is 30.7 million records from three breaches — against a population of 31 million adults. Even accounting for overlap (people affected by more than one breach), the mathematical reality is that the personal data of virtually every adult Canadian has been compromised.

And those are just the three largest. Since 2022: LCBO (January 2023, Magecart web skimmer on the checkout page — card numbers and CVVs captured in real time), Sobeys/Empire Company (November 2022, Black Basta ransomware, $25 million estimated cost), Indigo (February 2023, LockBit ransomware, employee SINs and bank information compromised), London Drugs (April 2024, 79 stores closed for over a week, employee data confirmed compromised), Giant Tiger (March 2024, 2.8 million customer records exposed through a third-party vendor), City of Hamilton (February 2024, ransomware, weeks of disrupted services), and Suncor/Petro-Canada (June 2023, nationwide credit/debit card outages at gas stations).

📸 Playcut.ai — personalised AI actor technology

What Your Stolen Identity Sells For on the Dark Web

The oversupply from those breaches has driven prices down. According to cybersecurity firms Flashpoint, Recorded Future, and the Privacy Affairs Dark Web Price Index (published annually since 2020):

Sources: Privacy Affairs Dark Web Price Index (2020–2023); Flashpoint threat intelligence reports; NordVPN/NordStellar research (May 2025).

NordVPN's 2025 research found the average price of a stolen Canadian card fell from C$11.06 in 2023 to C$8.20 in 2025 — a 26% decline. Canadian cards are becoming cheaper because there are more of them available.

A complete Canadian identity — enough to open bank accounts, apply for credit, and make purchases — costs less than dinner for two.

How Online Fraud Actually Works — Six Methods Nobody Explains

Fraud is not abstract. It follows specific, repeatable methods. Understanding them is the first step toward understanding why traditional fraud detection fails — and why verification exists.

1. Triangulation Fraud

The most insidious method because it victimises a merchant who did everything right.

A fraudster creates a storefront on Amazon.ca, eBay, or Facebook Marketplace. They list a popular product at a slight discount — 15–25% below retail. A legitimate customer buys it with their own real credit card. The fraudster then purchases the same product from a real retailer using a stolen credit card and ships it directly to the customer.

The customer receives a real product from a real brand. They leave a positive review. Weeks later, the stolen card's real owner files a chargeback. The legitimate retailer — the one who actually shipped the product — absorbs the entire loss. The product is gone. The payment is reversed. And the retailer pays a chargeback fee on top.

Traditional fraud checks often miss this because the shipping address belongs to a real person who genuinely ordered the product. The merchant cannot distinguish this from a normal order.

2. Synthetic Identity Fraud

A fraudster combines a real Canadian SIN — typically belonging to a child, elderly person, or deceased individual — with a fabricated name and date of birth. They apply for credit. The first application is denied, but the act of applying creates a credit file. The synthetic person now "exists" in Canada's credit system.

Over 6–24 months, the fraudster nurtures the identity: small purchases, on-time payments, gradually building a credit score. When credit lines are maximised, they max everything out and disappear. Because the identity is synthetic, there is no real person to pursue. Lenders write off the loss as bad debt — often without even recognising it as fraud.

TransUnion Canada reported that synthetic identity fraud surged to 26% of total business fraud losses in 2025, up from 18% in 2024 — the largest year-over-year increase of any fraud type (TransUnion Canada Newsroom, 2025). In April 2024, Toronto Police's Project Deja Vu dismantled a ring that created 680+ synthetic identities and opened hundreds of fraudulent accounts across Ontario, resulting in $4 million in confirmed losses. The investigation revealed the synthetic identities were also being used to facilitate money laundering for human trafficking and drug trafficking.

3. Friendly Fraud (Chargeback Abuse)

Covered in detail below. A customer makes a legitimate purchase, receives the product, and then disputes the charge with their bank to get a refund while keeping the item. The RCMP calls this "one of the fastest growing types of fraud in Canada."

4. Account Takeover and SIM Swap

A fraudster contacts a mobile carrier and convinces them to transfer the victim's phone number to a new SIM. They then receive all SMS messages — including two-factor authentication codes — giving them access to bank accounts, email, and e-commerce accounts.

In 2024, Toronto Police's Project Disrupt dismantled a SIM swap ring that had compromised over 1,500 cellular accounts across Canada with over $1 million in losses. Ten people were arrested and 108 charges laid. Two suspects — Nadia Campitelli and Hervine Umutijima — remained wanted as of the announcement. Over 400 pieces of fake identification were seized.

5. Drop Networks and Re-Shipping

Fraudsters need physical addresses to receive goods purchased with stolen cards. They recruit Canadians — often through fake job postings advertising "Package Inspector" or "Shipping Coordinator" positions at $300–$500/week — to receive packages and re-ship them internationally. The re-shipper becomes an unwitting accomplice. The CAFC has issued multiple warnings about these scams, noting that victims are often newcomers to Canada, seniors, or people in financial distress.

6. Counterfeit Products and Physical Danger

Online fraud does not always stop at financial loss. It can cause physical harm.

Toronto Fire Services recorded 76 lithium-ion battery fires in 2024 — up 38% from 55 in 2023 and up 162% from 29 in 2022. Toronto's fire chief called e-bike batteries "the largest growing fire safety risk in the city." The cause: cheap batteries sold online containing counterfeit cells (fake Samsung/LG labels), lacking proper battery management systems, and carrying fake safety certifications. In January 2024, an e-bike burst into flames on a TTC subway car near Sheppard-Yonge station. The TTC considered banning e-bikes from transit entirely (CBC; City of Toronto, 2024).

There is currently no required certification for e-bike batteries in Canada — unlike phones and laptops. Fraudulent sellers exploit this gap. When you buy from a store that does not verify its supply chain or its customers, you are trusting the entire chain blindly.

The Named Operations — Canada's Largest Fraud Busts

These are not anonymous statistics. These are named investigations, named suspects, and named consequences.

Project NOVA (RCMP/International, 2025) — LabHost

LabHost was one of the world's largest phishing-as-a-service platforms. Close to 1 million Canadians were directly impacted. Over 75 Canadian entities — major banks and government institutions — were impersonated. Fourteen Canadian police agencies participated in the takedown alongside 12 countries, led by London Metropolitan Police and Europol EC3. In Canada: 10 search warrants, 118+ enforcement actions (RCMP, April 2025).

Project Deja Vu (Toronto Police, 2024) — Synthetic Identity

A two-year investigation into a scheme dating back to 2016. 680+ unique synthetic identities created. Hundreds of fraudulent bank and credit accounts opened across Ontario. Twelve men arrested, 102 charges laid, approximately $4 million in confirmed losses. Twenty search warrants executed. Seized: dozens of synthetic ID documents, fraudulent government IDs, electronic ID templates, hundreds of payment cards, and approximately $300,000 cash. The synthetic identities were also used to facilitate money laundering for human trafficking, drug trafficking, and armed robbery (Toronto Police, April 2024).

Project Disrupt (Toronto Police, 2024) — SIM Swap Ring

Year-long investigation. Over 1,500 cellular accounts across Canada compromised. $1 million+ in losses. Ten arrested, 108 charges laid, 400+ pieces of fake identification seized. Two suspects still wanted: Nadia Campitelli and Hervine Umutijima (CBC, Toronto Police, 2024).

Project Atlas (OPP, 2024) — Cryptocurrency Fraud

Prevented $70 million in cryptocurrency from being stolen. Froze $24 million in stolen crypto. Identified 2,000+ compromised cryptocurrency wallets across 14 countries. Partners included the RCMP, CAFC, US Secret Service, and multiple crypto exchanges (OPP, December 2024).

AlphaBay — Alexandre Cazes (Trois-Rivières, Quebec)

Alexandre Cazes, born 1991 in Trois-Rivières, founded and operated AlphaBay — the largest dark web marketplace in history, 10 times the size of Silk Road. At its peak: over 400,000 users, 200,000+ listings, $600,000–$800,000 daily in transactions. Total volume exceeded $1 billion in Bitcoin. His operational security failure: using a personal Hotmail address (pimp_alex_91@hotmail.com) for system emails — the same email on his LinkedIn profile. Arrested July 5, 2017 in Bangkok by the FBI, DEA, Europol, and Royal Thai Police. Found dead in his cell on July 12, 2017. Authorities seized a Lamborghini, Porsche Panamera, properties in Thailand, Antigua, and Cyprus, and millions in cryptocurrency. His wife later forfeited approximately $8.8 million to the US government (US DOJ, July 2017; CBC).

Montreal Grandparent Scam Networks (2021–2025)

At least 50 people arrested over four years. Three elaborate networks operating from Montreal call centres. The Gareth West network: 25 Canadian nationals indicted by a federal grand jury in Vermont (March 2025) for defrauding elderly victims in 40+ US states of $21 million. Ringleaders Gareth West and Ricky Ylimaki remain at large. Investigators established links to Italian Mafia. Canadians reported losing nearly $3 million to grandparent scams in 2024 alone (CBC Montreal; ICE, March 2025).

Mansouri/Alouah (RCMP, 2025) — Prolific Cyber Fraud

Chakib Mansouri, 30, and Majdouline Alouah, 32. Ran spoofed calls and texts impersonating banks, directing victims to fraudulent websites. Thousands of victims, potentially millions stolen. Laundered proceeds through online casinos and cryptocurrency. Forty phones seized. Mansouri sentenced to 4 years 9 months; Alouah to 2 years 9 months (RCMP Gazette, 2025).

TradeOgre (RCMP, 2025) — $56 Million Crypto Seizure

Largest cryptocurrency seizure in Canadian history. RCMP shut down the TradeOgre exchange and seized $56 million. The platform failed to register with FINTRAC as a money services business. Infrastructure seized in Beauharnois, Quebec. Investigation opened June 2024 after a Europol tip (RCMP, September 2025; Globe and Mail).

The Organised Crime Connection

This is the section that moves fraud from "white-collar nuisance" to "national security threat."

Criminal Intelligence Service Canada (CISC) estimates that $45 billion to $113 billion is laundered and integrated into Canada's economy annually (CISC National Criminal Intelligence Estimate). Canada has been described by security researchers as "a safe zone for the world's most notorious crime groups" and "a money laundering safe haven" (CISC; RCMP Financial Crime reports). Online fraud is one of the primary revenue streams feeding this laundering infrastructure.

The Italian Mafia and the Grandparent Scams

The Montreal grandparent scam networks detailed above did not operate in isolation. CBC Montreal's reporting and court documents from the Gareth West indictment establish direct links between these call centre operations and Italian Mafia organisations. The scams are not random — they are franchise operations run by organised crime, with recruiters, callers, couriers, and money launderers operating in a structured hierarchy (CBC Montreal, 2025; ICE indictment, March 2025).

The Hells Angels

The Hells Angels are the largest criminal motorcycle gang in Canada, with chapters spanning every province. British chapters have been directly involved in credit card fraud, money laundering, extortion, and the distribution of stolen goods. In 2023, Ontario court documents revealed two high-ranking Hells Angels who funnelled millions of unexplained cash into real estate across Ontario — including a lavish estate in the Blue Mountains area — despite having no declared income (court filings, 2023; Canadian Encyclopedia).

"Pig Butchering" — Chinese Organised Crime

The fastest-growing fraud type globally. Run by Chinese organised crime syndicates operating from compounds in Cambodia, Myanmar, and Laos — often using trafficked workers forced to scam under threat of violence. The scams involve building a relationship with the victim over weeks or months (the "fattening"), then directing them to invest in fake cryptocurrency or trading platforms (the "butchering").

Canadians lost $3.4 million to pig butchering scams in 2024 (CAFC). Globally, pig butchering losses reached approximately $75 billion CAD in 2024, with 40% year-over-year growth. Deposits to pig butchering scams grew 210% year-over-year (Chainalysis, 2024).

The "Vancouver Model" — Casino Money Laundering

While not exclusively an online fraud story, the "Vancouver Model" illustrates how Canada's financial system enables fraud at scale. Multi-billion-dollar money laundering operations flowed through BC casinos — money launderers entering with garbage bags of illicit cash, so-called students purchasing multi-million-dollar mansions, and a single working-class family bringing over $100 million into the country. The Cullen Commission (2022) documented the systemic failure, but enforcement remains patchy (CBC; Financial Crime Academy).

Romanian ATM Skimming Rings

European organised crime groups — particularly Romanian — have run international ATM skimming operations affecting Canada. In November 2023, Romanian law enforcement (coordinated with the FBI) targeted 84 locations, arrested 48 subjects, and seized approximately $1 million in connection with US/Canada skimming operations. Card skimming incidents rose 77% year-over-year globally — from 70,000 in 2022 to 120,000 in the first half of 2023 alone (FBI; Europol Operation Night Clone).

📸 Playcut.ai — personalised AI actor technology

What CBC Marketplace Found — And What They Missed

CBC Marketplace has produced some of the best investigative fraud journalism in Canada. Here is what their investigations revealed — and the thread they did not pull.

What They Found

"The Fraud Factory" (2025): A joint investigation with Radio-Canada's Enquête and the OCCRP "Scam Empire" project. A confidential source leaked nearly 2 terabytes of internal records from two phone scam call centres in Tbilisi, Georgia — including audio recordings of over 1 million calls and 20,000 video captures of scammers' screens. Two networks defrauded at least 32,000 victims of $275 million USD. Scammers posed as financial advisors and used deepfake celebrity endorsements. Marketplace profiled Canadian victims Marcel and Janette, who lost their life savings.

"The Sextortion Network" (October 2025): Exposed a network targeting teens, driving some to suicide within hours. Marketplace created three fake Instagram profiles — within 24 hours, they were targeted by 7 accounts. They verified 40+ sextortion-linked suicides across North America, Australia, and the UK in four years — 5 in Canada. Connected to Nigeria's "Yahoo Boys" criminal network.

"Scam Stoppers" Season Finale (March 2025): Marketplace teamed with scambusters Jim Browning, Kitboga, and Pleasant Green (combined following: 10 million+). They created a fraud-fighting call centre and rerouted 62 active scam call centres, intercepting fraudulent calls in real time.

"Scam Centres" (2018): David Common travelled to Mumbai and traced CRA phone scam calls to a low-rise apartment building. When the team confronted scammers, armed men chased them through alleyways. Since 2014, the CAFC had received 74,000+ complaints about CRA scams; at least 4,000 victims lost $15 million collectively. The investigation triggered RCMP Project Octavia, which led to 28 arrests in India and 11 in Canada.

What They Missed

CBC Marketplace has covered individual breaches, individual scams, and individual operations. What no Canadian news outlet — including Marketplace — has done is connect the three 2019 mega-breaches (Desjardins, Capital One, LifeLabs) into a single cumulative narrative and follow that thread to the small merchant level.

30.7 million records exposed from three breaches. 31 million adults in Canada. That is not three separate stories. That is one story: the identity infrastructure of an entire country was compromised in a single calendar year, and six years later, the downstream consequences — synthetic identities, triangulation fraud, account takeovers — are still accelerating. The merchants who absorb the losses have no voice in the coverage. The MATCH list, which can end a small business for five years, has never been explained to a Canadian consumer audience.

This article exists to fill that gap.

📸 Playcut.ai — personalised AI actor technology

The Merchants Who Bleed

The consumer side of fraud gets attention. The merchant side does not. Here is what happens to a small Canadian business when fraud hits.

The Biktrix Container Heist — $500,000 in E-Bikes

On March 19, 2024, at 1:01 AM, a white Freightliner daycab tractor with "Ryder" on its doors entered a warehouse on Annacis Island in Delta, BC. Two suspects connected a trailer to a shipping container and drove away within minutes. Inside: 150 Biktrix electric bicycles — valued at $500,000 (declared) / $840,000 (retail) — including 8 "golden sample" prototype bikes not yet on the market. The container was found empty in Langley, BC, near the US border. The CEO estimated $4 million in lost revenue by year-end, including delayed launches. Insurance was complicated by a third-party warehouse gap (CBC; Global News, March 2024).

Biktrix is a Canadian e-bike company headquartered in Saskatoon, Saskatchewan. They are one of our competitors. What happened to them could happen to any Canadian merchant shipping high-value products.

Laura MacNutt — KingsPIER Vintage, Halifax

The story that opens this article. Customers bought luxury vintage clothing, picked up items in person, and then filed chargebacks. She lost the merchandise, the revenue, and paid Shopify's $15 fraud fee per transaction. Fraud victimisation consultant Vanessa Iafolla told CBC that business owners are "doubly victimised" — out the money, out the item, and out all the extra fees (CBC News Nova Scotia, February 2025).

Dan and Brigitte Loik — Burnaby, BC

Followed every fraud prevention rule for their restaurant equipment business. Still left on the hook by banks for $23,000. An expert noted awareness of "entrepreneurs that have lost tens of thousands of dollars to chargebacks, driving them out of business" (CBC News, November 2021).

The True Cost Per Dollar

Industry data shows that for every $1 lost to fraud, Canadian merchants lose $4.52 in total costs in 2025. This includes the product cost, shipping, processing fees, chargeback fees ($15–$100 per incident), staff time investigating and responding (1.5+ hours), customer acquisition costs, and potential increases to future processing rates (LexisNexis Risk Solutions, True Cost of Fraud Study — US and Canada E-Commerce & Retail Edition, April 2025).

For a Canadian e-commerce merchant selling a $3,000 product, a single fraudulent chargeback means a total loss of approximately $13,560.

The MATCH List — Five-Year Death Sentence

If a merchant's chargeback rate exceeds thresholds set by Visa and Mastercard, they face escalating penalties. Visa's dispute and fraud monitoring programmes (VDMP/VFMP) impose escalating fines when merchants exceed chargeback thresholds — starting at a 0.65% chargeback ratio. After sustained non-compliance, the merchant may be banned from accepting Visa entirely.

Worse: Mastercard operates the MATCH List (Member Alert to Control High-Risk Merchants) — a blacklist of merchants with revoked processing privileges. Listing lasts five years. Most acquiring banks will refuse to work with a MATCH-listed merchant. The few high-risk processors that will accept them charge 3–5 times normal processing rates. Getting added to the MATCH list can effectively end an online business (Kount; Chargebacks911; Ravelin).

📸 Playcut.ai — personalised AI actor technology

Friendly Fraud — The Crime 43% of Consumers Admit To

This is the section that will make some readers uncomfortable. It should.

"Friendly fraud" — also called first-party fraud or chargeback abuse — occurs when a customer makes a legitimate purchase, receives the product, and then disputes the charge with their bank to get a refund while keeping the item. It is shoplifting with a credit card.

The numbers are not ambiguous:

• 40–80% of all e-commerce fraud losses are attributed to friendly fraud (Forbes; Visa)
• 79% of merchants reported experiencing first-party fraud in 2024, up from 34% in 2023 (Merchant Risk Council, 2024 Chargeback Field Report)
• First-party fraud now represents 36% of all reported fraud in 2024, up from 15% in 2023 — a $132 billion global risk to e-commerce (Chargeflow, 2025)
• 43% of consumers admit to filing at least one bogus chargeback dispute (Socure survey, 2024)
• 84% of customers find chargebacks easier than formal refund processes (Chargebacks911, 2025)
• The average cardholder filed 5.7 chargebacks in 2023, each valued at $76
• Gen Z files 60% of chargebacks due to impulse purchase regret

The primary drivers: buyer's remorse (65.3%), intentional abuse (60.9%), and misunderstandings (38.6%).

The Canadian Federation of Independent Business (CFIB) characterises friendly fraud as "simply another form of shoplifting" (CFIB, 2019 poll of 7,000+ members). The RCMP calls chargeback fraud "one of the fastest growing types of fraud in Canada." Chargebacks can be filed up to two years after a sale, making every transaction effectively reversible for two years.

And the merchant's recourse is limited. The industry average chargeback win rate through representment is only 12%, with a net recovery rate of 18% (Chargebacks911). Merchants who fight chargebacks usually lose.

The Government Response — And the 30% Vacancy Rate

In June 2024, the Auditor General of Canada released a report on cybercrime that found something alarming: the federal government "does not have the capacity and tools to effectively fight cybercrime." The specific finding: 30% of RCMP cybercrime unit positions were vacant as of January 2024. The report identified breakdowns in response, coordination, tracking, and information sharing between responsible organisations. The current reporting system was described as "confusing" and not meeting the needs of individuals (Auditor General, June 2024; CBC).

Police-reported cybercrime has grown more than 20 times in a decade — from 1,785 incidents in 2014 to 41,275 in 2023 (Statistics Canada). The cybercrime rate in 2024 was 225 incidents per 100,000 population — over twice the 2018 rate of 92 per 100,000. Fraud accounted for 56% of cybercrime violations.

Canada's response is arriving — late. In October 2025, Minister of Finance François-Philippe Champagne announced Canada's first-ever National Anti-Fraud Strategy and the creation of a new Financial Crimes Agency to investigate money laundering, online fraud, and financial scams. Legislation is expected by spring 2026. Public consultations opened in March 2026 — the same month the government acknowledged that reported losses since 2022 exceeded $2.4 billion (Canada.ca, March 2026).

In November 2025, the RCMP launched a new National Cybercrime and Fraud Reporting System at reportcyberandfraud.canada.ca — replacing the patchwork of confusing reporting channels that the Auditor General criticised.

These are steps in the right direction. They are also years late. CISC estimates $45–113 billion is laundered through Canada annually — much of it derived from fraud proceeds. By the time Canada's first anti-fraud strategy is implemented, the CAFC will have recorded over $3 billion in cumulative reported losses since 2022 — representing a true cost that may exceed $30 billion. The laundering estimate dwarfs even that.

What Identity Verification Actually Does

Given the data above, some Canadian merchants — including us — have implemented identity verification on orders. Here is what that means, how it works, and whether it is legal.

The Mechanics: Stripe Identity

Stripe Identity is a verification service that checks whether a customer is who they claim to be. It offers five check types (Stripe Documentation, 2025):

1. Document verification — AI models analyse a government-issued ID (passport, driver's licence, national ID). Checks against a database of known fraudulent document templates. Decodes barcodes and validates consistency between text and encoded data.
2. Selfie/biometric — Compares facial geometry from the government-issued photo against a live selfie. Machine learning detects presentation attacks (photos of photos, digital layering).
3. ID number — Validates name, DOB, and national ID against credit agencies and government records.
4. Phone — SMS-based ownership confirmation.
5. Address — Verifies name, DOB, and residence against databases in 29 countries including Canada.

Document and selfie verification covers 127 countries and territories including Canada. The cost is $1.50 USD per verification check.

In terms of effectiveness: Stripe's fraud detection system (Stripe Radar) blocked $917 million in fraudulent transactions on Black Friday–Cyber Monday 2024 alone — 20.9 million individual fraudulent attempts. Dispute rates decreased 17% for Stripe Radar users even as global e-commerce fraud rose 15%. Overall, the system reduces fraud by an average of 38% with a false positive rate of just 0.1% (Stripe, Chargebacks911).

The Privacy Law: PIPEDA

Is it legal for a Canadian merchant to ask for government ID before processing an online order?

Yes — with conditions.

The Office of the Privacy Commissioner of Canada provides explicit guidance. The OPC states that "the stringency of authentication processes should be commensurate with the risks to the organisation as well as to the individual." For high-value, high-risk transactions, multi-factor or multi-layer authentication is appropriate — and in some cases required (OPC Guidelines for Identification and Authentication, 2013).

The proportionality test — derived from the Supreme Court's Oakes decision — requires four conditions (OPC; DLA Piper, 2025):

1. Legitimate need — tied to a bona fide business interest (fraud prevention), not speculation.
2. Effectiveness — the method has proven reliability with low error rates.
3. Minimal intrusiveness — less invasive alternatives must be considered first.
4. Proportionality — privacy impacts must align with benefits.

For a $2,000–$5,000 online purchase — where the merchant ships a physical product that cannot be recovered once delivered, in an environment where the buyer's identity data may have already been compromised in one of several massive breaches — the OPC's own framework supports enhanced verification.

The merchant must: inform the customer before or at the point of collection about why the information is being gathered, secure meaningful consent, collect only the data necessary for the specific transaction, and not use the data beyond its stated purpose.

What TransUnion Found

In TransUnion's 2025 survey of Canadian businesses, identity verification was ranked as the #1 most effective fraud mitigation tactic by 53% of respondents. Digital fraud attempts in Canada spiked 189% from pre-pandemic levels (TransUnion).

Separately, TransUnion's consumer survey found that 46% of Canadian consumers prioritise data security over cost or product quality when choosing where to shop online, and 91% say confidence in data protection is important to their buying decisions. Seventy percent said they would not return to a compromised website.

The Counterarguments — What This Investigation Found That Complicates the Story

An investigation that only presents data supporting its thesis is not an investigation. It is marketing. Here is what we found that complicates the narrative.

1. The Digital Fraud Rate Is Actually Declining

TransUnion data shows the suspected digital fraud rate in Canada declined from 5.4% of transactions in H1 2024 to 4.2% in H1 2025. Retail fraud attempt rates specifically declined 72% year-over-year (from 4.6% to 1.1%). This could be cited as evidence that fraud prevention tools are working and the problem is improving. However, this measures the fraud rate per transaction — total fraud dollars and total volume continue to increase because e-commerce transaction volume is growing faster than the fraud rate is declining.

2. Canada Has Relatively Fewer Stolen Cards on the Dark Web

NordVPN's 2025 research tracked only 442 Canadian card details on monitored dark web markets — significantly fewer than the US, UK, and other major markets. This potentially suggests Canadian cybersecurity is relatively stronger, or that Canadian cards are traded through different channels not captured in this specific research.

3. Verification Adds Friction — And Some Customers Leave

TransUnion's own data shows that 39% of Canadian consumers abandon shopping carts due to fraud or security concerns. Separately, industry data suggests 16% cite excessive security steps as a reason to abandon carts. Identity verification adds a step. Some legitimate customers will leave rather than complete it. This is a real cost — not just in lost sales, but in lost customer relationships.

4. The $1.50 Per Check Adds Up

Stripe Identity charges $1.50 per verification — including on rejected applications. A merchant processing 100 verifications per month pays $150/month regardless of outcome. As SEON (a third-party identity verification analyst) notes: "you lose money on every sign up that doesn't go through." This is a non-trivial cost for small businesses.

5. The Proportionality Argument Cuts Both Ways

Some privacy advocates argue that a $2,000–$3,000 purchase does not meet the threshold for requiring government ID plus a live selfie — that less invasive alternatives (address verification, 3D Secure, card network fraud tools) should be exhausted first. The OPC's proportionality test is a judgment call, not a formula. Reasonable people can disagree about where the line falls.

6. Even When Merchants Fight Chargebacks, They Usually Lose

The industry average chargeback win rate through representment is only 12%. The net recovery rate is 18%. This actually supports the case for prevention over cure — but it also means the system is structurally tilted against merchants regardless of whether they verify identity or not.

Who Profits When Fraud Wins

Every investigation must ask who benefits. The criminals are obvious. What is not obvious — and what no Canadian news outlet has calculated — is that legitimate, publicly traded companies structurally profit when fraud increases. Not through negligence. Through business models that generate revenue from chargebacks, disputes, and breach remediation. This section names them and shows the math.

Visa, Mastercard, and the Issuing Banks — Interchange That Never Comes Back

Every time a Canadian taps a credit card, the merchant pays a fee — typically 1.4–2.4% of the sale price (Visa Canada interchange schedule). That fee is split three ways: the majority goes to the issuing bank (the cardholder's bank — TD, RBC, BMO, etc.) as interchange, a smaller network assessment fee goes to Visa or Mastercard, and the remainder goes to the payment processor. On over $700 billion in annual Canadian card spending (Payments Canada), the total merchant fees flowing to banks and networks run into the billions.

When a chargeback is filed, the merchant loses the sale. But the interchange, network, and processing fees have already been collected. They are not returned. The issuing bank, Visa/Mastercard, and the processor have all been paid for a transaction that no longer exists. Only the merchant gives money back.

Then the penalty fees begin:

• Visa's Dispute Monitoring Program (VDMP) and Fraud Monitoring Program (VFMP) impose escalating monthly fines on merchants who exceed chargeback thresholds. After sustained non-compliance, the merchant can be banned from accepting Visa entirely.
• Mastercard operates the MATCH list — a blacklist that bans merchants for five years. Most acquiring banks refuse to work with a MATCH-listed merchant. The few high-risk processors that accept them charge 3–5 times normal rates.
• Neither network maintains an equivalent list for consumers who file fraudulent chargebacks. A consumer can file 5.7 bogus disputes per year (Chargebacks911, 2023 average) and face zero consequences from the networks. The merchant who receives those disputes faces monitoring, fines, and potential termination.

The asymmetry: the networks and banks punish the victim (the merchant) and do not punish the perpetrator (the consumer filing a false dispute). The issuing banks keep interchange whether the transaction is legitimate or fraudulent. Visa and Mastercard keep their network fees. They both earn penalty fees when the fraud volume rises. Higher fraud = higher revenue for every intermediary except the merchant.

To their credit: Visa prevented $350 million+ in attempted fraud globally in 2024 through its scam disruption practice. Mastercard's First-Party Trust initiative (expanding to Canada in 2025) targets friendly fraud specifically. The networks are not ignoring the problem — but the incentive structure has not changed.

Shopify — $102.30 Per Fraudulent Chargeback. Multiply by $270 Billion.

Shopify processed $270+ billion USD in gross merchandise volume in 2024 (Shopify annual earnings). Here is the chargeback math for a Canadian merchant on the Basic plan:

Shopify earns $102.30 on a fraudulent chargeback — the same amount it earns on a legitimate sale. The merchant loses $3,102.30+. Even at a conservative 0.1% chargeback rate across $270 billion GMV, that represents $270 million in disputed transactions where Shopify retains its fees regardless of who wins or loses.

Two CBC investigations illustrate the pattern:

• Laura MacNutt, KingsPIER Vintage, Halifax: Customers picked up luxury vintage clothing in person, then filed chargebacks. Shopify charged MacNutt $15 per dispute. Kept its processing fees. Did not flag the transactions as suspicious (CBC News Nova Scotia, February 2025).
• Wigloo, BC dome company: Lost $18,113.90 to a chargeback. Shopify admitted its documents were "not forwarded to the issuing bank due to an isolated technical issue." Wigloo was made whole only after CBC's Go Public investigation forced Shopify to credit the full amount (CBC Go Public, May 2022).

To their credit: Shopify offers Shopify Protect — free chargeback coverage on eligible Shop Pay orders. Its fraud tools have improved since 2022. But Shopify Protect does not cover all orders, all payment methods, or all merchants. For the rest, the math above applies.

Equifax and TransUnion — Selling the Cure for the Disease They Store

Follow the money through a single data breach:

1. Equifax and TransUnion store Canadians' financial identity data — credit history, SINs, addresses, account information
2. A breach occurs — Desjardins (9.7 million), Capital One (6 million), LifeLabs (15 million). The data that was stored is now stolen.
3. The breached company needs to offer victims a remedy. The remedy is credit monitoring.
4. Who sells credit monitoring? Equifax and TransUnion — the same organisations that stored the data that was breached.
5. The breached company pays the credit bureau for monitoring subscriptions. Victims enroll. The credit bureau's subscriber count increases.
6. When the free monitoring period ends, victims are offered paid upgrades — Equifax's "Complete" plans run $19.95–$34.95/month in Canada.

The cycle: data stored → data breached → monitoring sold → subscription revenue rises. At every stage, the credit bureau earns. The breach creates the demand for the product the bureau sells.

TransUnion's 2025 Canadian fraud study — the one that found $111 billion in business fraud losses — links directly to TransUnion's commercial fraud prevention solutions page. The research is valuable (this article cites it extensively). It is also marketing.

To their credit: The bureaus provide genuinely useful fraud detection services. TransUnion's free "TrueIdentity" offers basic monitoring at no cost. And Equifax was itself breached in 2017 (147 million records, US) — they are not immune to the problem. But the business model — monetise the aftermath of breaches you did not prevent — is a structural conflict of interest that deserves scrutiny.

Canada's Big Five Banks — The 12% Win Rate

When a consumer disputes a charge, the bank has a structural incentive to side with the consumer. The consumer is the bank's customer — deposits, mortgage, credit card fees, investment accounts. The merchant is not the bank's customer. If the bank denies the dispute and the consumer is unhappy, the consumer may leave — taking all those revenue streams. If the bank approves the dispute, the merchant absorbs the loss and the consumer stays.

The data confirms this asymmetry is not theoretical:

A merchant who fights a chargeback loses 88% of the time. The bank collects a fee either way. The CFIB — Canadian Federation of Independent Business — calls the current system one where merchants are "guilty until proven innocent" and characterises friendly fraud as "simply another form of shoplifting" (CFIB, 2019).

To their credit: Banks are required by card network rules to process chargebacks. Consumer protection is the intent. Banks do reject some disputes when merchants provide compelling evidence. But a 12% win rate is not a system that evaluates evidence. It is a system that has a default answer.

Why Canada Has Not Fixed This — And Who Has

The United Kingdom launched a voluntary Contingent Reimbursement Model (CRM) Code in May 2019 — asking banks to share liability for authorised push payment fraud. In October 2024, the Payment Systems Regulator (PSR) made reimbursement mandatory for all payment service providers within the Faster Payments system. If the bank failed to warn the customer or detect the scam, the bank absorbs part of the loss. The result: UK banks invested heavily in real-time fraud detection because the cost of NOT detecting fraud now falls on them, not exclusively on the merchant.

Australia's ePayments Code requires financial institutions to bear the loss for unauthorised transactions unless the consumer contributed to the loss through fraud or negligence. The burden of proof is on the bank, not the customer — and not the merchant.

Canada has neither. The chargeback system in Canada operates under card network rules — set by Visa and Mastercard, headquartered in the United States — with no Canadian-specific regulatory override. Canada's first National Anti-Fraud Strategy was not announced until late 2025 (Government of Canada). Public consultations opened in March 2026. Legislation to create a new Financial Crimes Agency is expected — but as of this publication, no bill has been tabled.

The UK began in 2019 and made it mandatory in October 2024. Australia codified liability rules through the ePayments Code. Canada, in 2026, is still consulting.

The Ledger

In every fraudulent transaction in Canada, the money flows like this:

Every intermediary earns. The two endpoints — the merchant who ships and the consumer whose identity was stolen — absorb 100% of the loss.

Why We Verify Every Order

We are a small Canadian retailer. We ship physical products that cost $1,500 to $5,500. Once a product leaves our warehouse, we cannot get it back. If a fraudulent order goes through, we lose the product, the revenue, the shipping cost, the processing fees, and the chargeback fee. At $4.52 per dollar of fraud (LexisNexis, 2025), a single $3,000 fraudulent order costs us over $13,500.

We are not a bank. We do not have a fraud department. We do not have a legal team. We are a small team that sells products we believe in, supports every customer personally, and cannot absorb five-figure losses without it threatening our ability to operate.

The data in this article is why we use Stripe Identity to verify orders. It is not about distrust. It is about the mathematical reality that:

• The identity data of virtually every adult Canadian has been compromised in at least one major breach
• A complete Canadian identity costs $30–$80 on the dark web
• Friendly fraud accounts for 40–80% of e-commerce fraud losses
• 30% of RCMP cybercrime positions are vacant
• Canada did not begin drafting a national anti-fraud strategy until 2026
• The MATCH list can end a small business for five years
• CISC estimates $45–113 billion is laundered through Canada annually — much of it from fraud proceeds
• Organised crime — from the Italian Mafia to the Hells Angels to Chinese trafficking networks — uses online fraud as a revenue stream

We verify because the alternative is hoping that the next order is not the one that puts us on a monitoring programme. We verify because the government has told us, through the Auditor General, that it does not have the capacity to protect us. We verify because the OPC's own guidelines say that high-value transactions warrant enhanced authentication.

And we verify because when we ask a customer for ID, we are not questioning their honesty. We are protecting them — confirming that nobody else is using their identity to place an order they never authorised.

Every customer who completes verification is a customer we can serve with confidence. That is what trust looks like in 2026.

Frequently Asked Questions

📸 All photography by Playcut.ai — personalised AI actor technology