GTA business owner says scammers hijacked his company and tried to out on his mortgage-free property
A GTA businessman is warning of a devastating loophole in Ontario’s corporate registry system after discovering fraudsters had taken over his holding company and tried to mortgage its $12 million property without his knowledge.
Hitender Sharma was en route from Toronto to Windsor last month when he received a call from a private investigator who informed him that his company had been hijacked by a group looking to exploit the mortgage-free commercial land it owns in Mississauga.
“It was shocking,” Sharma told CBC Toronto. “We have all the investment here, [the property] is worth more than maybe $12 million and this will disappear.”
After the call, Sharma reviewed his company’s records and found that someone had changed the director and business address back in November without his authorization.
Fraud pattern
According to Brian King, the private investigator who first alerted Sharma, the Mississauga property was one of at least five commercial lots in the Greater Toronto Area that the group had targeted. All were tied to companies that were covertly taken over late last year. King said the scheme involved using the hijacked business identities to either pitch the properties for sale or secure financing against them.
In one case, the group successfully sold a Caledon property to a lender for nearly $5 million, King said. The rightful owner had no knowledge of the transaction. For Sharma’s Mississauga property, they sought a $5-million mortgage but didn’t obtain it.
“I suspect there are many more,” said King, who is the president and CEO of King International Advisory Group, a firm that specializes in white-collar crime. “We’re poring through certain records that we now have access to, and I do suspect we’re going to find more [properties].”
Though Sharma’s title records show the property has not been sold or mortgaged, he is still working to regain control of his holding company.
This type of fraud, while similar in goal to those that target residential homeowners – namely, to cash in on property equity – raises broader concerns about corporate security and the integrity of Ontario’s digital business registry system.
“With security features in place, someone shouldn’t be able to go in and change someone’s corporate records,” said King. “In my mind, it’s a bit of a flaw in our government system right now that needs to be fixed.”
Vulnerable registry system
The Ontario Business Registry went digital in 2021, allowing companies to file changes online at any time. As part of the upgrade, the province introduced a new security feature known as a “company key,” a unique code used like a PIN to authorize changes to a business’s public record.
While all newly incorporated businesses receive a company key automatically, older companies – like Sharma’s, which was incorporated in 2014 – must request one manually. Sharma didn’t obtain his company key until April 2024, when his accountant requested it through the Ministry of Public and Business Service Delivery and Procurement to update his office address.
What remains unclear is how the fraudsters were able to obtain the company key earlier, allowing them to make unauthorized changes months before Sharma's accountant ever accessed it.
Verification loophole
When asked about the verification process for issuing a company key, ministry spokesperson Jeffrey Stinson said keys are typically sent to the company’s registered address or email.
If those records are outdated, applicants must “demonstrate their connection to the business using a combination of information on the public record and information from other internal and external sources.”
“For security purposes, the ministry cannot provide details of the additional information it requests from applicants,” Stinson said. “These requests are reviewed by the ministry for accuracy before a company key is issued.”
However, a government guide published in November outlines a loophole: if someone claims a legal affiliation to the company, they can have the key sent to a new email address by providing information about the last filing made on behalf of the business, information that’s publicly available.
“I’ve talked to a number of lawyers and various law firms, and people involved in the real estate and the corporate field, and many of them told me that it is so easy to get a corporate PIN,” said King. “To them, it’s almost laughable.”
Sharma has since reported the fraud to Peel Regional Police and contacted the ministry to find out how the changes were allowed and how to regain control of his business.
In a letter to Sharma last week, the ministry confirmed the November changes were filed by Dye & Durham, a private-sector service provider. The letter directed Sharma to contact the firm directly.
“We note that the Ministry has no legislative authority to change any information filed by corporations,” the letter read. “It is the responsibility of the corporation to ensure that the information filed with the Minister is accurate, and to correct any inaccurate information on the public record by filing a Notice of Change.”
When Sharma contacted Dye & Durham, he said the company told him the ministry was responsible for verification. He was told that their platform simply allows any user with the company key to make corporate filings.
“We are open to any kind of fraud and there’s no recourse,” Sharma said. “Someone needs to be the gatekeeper, and ultimately that has to be the ministry.”
Read next: B.C. regulator expands crackdown on mortgage fraud
CBC reached out to Dye & Durham for comment, but the company declined. The ministry’s letter advised Sharma that he can use his key to update the public record and request a new company key for added security. But Sharma said he’s unsure if he’s even able to do that now and has instructed his lawyer to send a letter to Dye & Durham demanding they undo the unauthorized changes.
While mortgage fraud overall declined from 0.46% in Q4 2023 to 0.19% in Q4 2024, according to Equifax Canada’s latest report, falsified financial documents still account for more than 90% of mortgage fraud cases.
Mike Gropp, a senior cybersecurity adviser at Toronto Metropolitan University’s Rogers Cybersecure Catalyst, said the Sharma case “looks like a classic case of a group exploiting weak verification.”
“It’s kind of like locking your door and putting the key under the mat,” Gropp said.
He noted that while mailing out company keys is a strong starting point, the problem lies in how the province verifies requests outside of that system.
“Security questions can often be the weakest link,” Gropp added. “We’re constantly balancing between security and usability, and those are always at odds. The more secure something is, typically the less usable it is, the less user-friendly.”
Gropp recommended several improvements: eliminate security questions, introduce multi-factor authentication, send real-time change alerts, and impose a waiting period for sensitive changes like directorship updates. He also urged the government to be held to the same cybersecurity standards as banks and hospitals, given the sensitive data it manages.
As Sharma continues trying to reclaim control of his company, he’s concerned about what this could mean for other business owners in Ontario.
“Unless they make some changes, this will be devastating for many other families or business owners,” he said.
Make sure to get all the latest news to your inbox on Canada’s mortgage and housing markets by signing up for our free daily newsletter here.
