Phishing attack lures $12M from Alberta university's pockets
Published Thursday, August 31, 2017 3:53PM EDT
Last Updated Thursday, October 5, 2017 1:39PM EDT
An Alberta university is out $11.8 million thanks to an email scam hatched by online fraudsters.
- Scroll down or click here to vote in our poll of the day
Edmonton-based MacEwan University said officials were duped into transferring the funds into an account they believed to belong to a major vendor. A series of fraudulent emails convinced staff to change electronic banking information used to make payments.
University officials discovered the attack on Aug. 23.
The money was transferred in three payments beginning on Aug. 10, the largest of which was $9.9 million on Aug. 19.
“We found out about the fraudulent transactions when the vendor contacted us to enquire about why they have not received their payments,” MacEwan spokesperson David Beharry told reporters on Thursday.
He declined to identify the vendor without the company’s permission, saying only that 14 Edmonton-area construction firms were targeted by cyber criminals.
“The fraudsters produced these fake domains about these 14 organizations. These organizations would not have any knowledge that somebody is phishing (other) organizations, trying to get their bank information changed,” Beharry said.
The bulk of the funds, $11.4 million, were traced to bank accounts in Canada and Hong Kong. Beharry said that money has been frozen, but the status of funds is not known at this time.
He added that “$6,347,000 was traced to a TD Bank account in Montreal that has been seized by a bailiff. Investigations revealed that the balance of the funds was wire transferred from TD Bank in Canada to two accounts in Hong Kong.”
Beharry said a number of opportunities to identify the fraud were missed. A preliminary investigation also determined the process of changing vendor’s banking information was inadequate to guard against so-called phishing scams.
Phishing is a well-known tactic used to obtain sensitive digital information. Fraudsters typically send the victim a message that appears to be from a trustworthy party. The message, if successful, convinces the victim to hand over information or take action -- in this case, redirecting online payments.
MacEwan staff are working with law-enforcement agencies in Montreal and Hong Kong, as well as Edmonton police to track down the cyber criminals. The university said its legal counsel in Montreal, London, and Hong Kong is pursing civil action to recover the money.
Alberta’s minister of advanced education and the province’s auditor general have been briefed on the situation, according to a media release from MacEwan.
Beharry said the university’s IT systems were not compromised during the incident.
A full audit is said to be underway. The university expects the results in the coming weeks.
“Personal and financial information, and all transactions made with the university are secure. We also want to emphasize that we are working to ensure that this incident will not impact our academic or business operations in any way,” Beharry said.
Three MacEwan staff members were involved in the transfers and the communications led to them.
No phone calls were placed to the company to confirm the bank account changes before they were made, according to Beharry.
“The university does not believe there has been any sort of collusion. We really believe this is simply a case of human error, but there is an ongoing investigation,” he said.
The scam comes at a particular inopportune time, with classes set to resume in the coming days.
“There is never a good time for something like this to happen,” Beharry said. “As our students come back to the start of the new academic year, we want to assure them and the community that our IT systems were not compromised.”
Beharry said he is confident the frozen $11.4 million will be returned, and promised that students will not be financially impacted by the attack.
“We can’t hold students responsible for our errors,” he said.