Canadian University Hit For $12m Phishing Scam

Uploaded on 2017-09-19 in TECHNOLOGY--Hackers, GOVERNMENT-Law Enforcement, FREE TO VIEW

MacEwan University said its IT systems are secure after the institution was defrauded of nearly $12 million in a phishing scam compounded by human error.

The university learned it was the victim of an attack last Wednesday, Aug. 23 after a series of fraudulent emails “convinced university staff to change electronic banking information for one of the university’s major vendors.”

The fraud led university staff members to transfer $11.8 million to a bank account they believed belonged to the vendor, the university said.

MacEwan University spokesperson David Beharry said three relatively low-level staff members were involved in the transfer. He said there was no process in place which required staff members to phone the vendor to confirm the request to change banking information, but that will change.

“We are looking at the levels of staffing it must go through for authorisation before somebody changes that,” he said. “There is going to be a secondary and tertiary level of approval before this goes on.

Beharry said three separate payments, ranging from $22,000 to $9.9 million, were made to the vendor between Aug. 10 and Aug. 19. He said he has not been given permission to release the vendor’s name, but said the company is local.

“What we were able to find out is, there were approximately 14 construction firms in the Edmonton area that were targeted,” Beharry said.

“The fraudsters produced these fake domains about these 14 organizations. The organisations would not have any knowledge that somebody is phishing.”

Beharry said all personal and financial information, and all transactions made with the university, are secure.

More than $11.4 million of the money has been traced to accounts in Canada and Hong Kong. The university said the funds have been frozen while it works with lawyers in an attempt to recover the money.

Beharry said the university is confident it will get the money back.

The rest of the money is still missing. Beharry admitted this “shouldn’t have happened in the first place.”

“I think twice about this, too, and I go, ‘How?'” And that’s why we need to fully investigate, because we need to get to the bottom of this to make sure it doesn’t happen again,” he said.

“I think it’s safe to say that there was a lot of disappointment and frustration. Because this came down to human error.”

The president of Kick Point, an Edmonton digital marketing and web design agency, said she was “flabbergasted” when she heard about what happened at MacEwan.

“I’m really shocked that an institution this large could be taken by a scam like this and in such a large amount,” Dana DiTomaso said.

She said there’s a perception that phishing scams mainly target personal information, like credit card and password information, but they also affect businesses.

“I think it’s more common than people let on because it doesn’t necessarily get the same kind of attention,” she said. “If a business loses a bunch of money, they’re either a private business and they don’t want to talk about it because it’s embarrassing, or they’re a public business and they have to talk about it but they don’t really want to.

“You don’t hear about the volume of issues that come up on a day-to-day basis.”

The most important advice she can give to anyone in a situation like this is to think twice.

“Think twice before you transfer a bunch of money to somebody else. If it seems iffy, if someone is asking you to do something different than what you would normally do, which is the case here or what seems to be the case here, then check in with somebody else, check in with a bunch of people.”

After the fraud was discovered, MacEwan conducted an audit of university business processes. Officials said “controls were put in place” to prevent similar incidents from happening.

Beharry said the university provides information to its staff, students and faculty about these types of scams and other cyber-security related issues. He said it’s important that the university reinforce its messaging.

External experts have been brought in to help the university in its investigation. The university said preliminary investigations reveal that controls in place around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed.

MacEwan University said final results of the review are expected within a few weeks.

The minister of advanced education and the officer of the auditor general have been made aware of the situation.

Advanced Education Minister Marlin Schmidt said he’s “very disappointed” the university fell victim to the crime, adding he’s instructed all university board chairs to review their financial controls.

“This is unacceptable and I’ve asked the board chair to report back to me by Sept. 15 with details on how this occurred,” Schmidt said in a statement.

“While I’m told that MacEwan has put improved internal financial controls to help prevent it from happening again, I expect post-secondary institutions to do better to protect public dollars against fraud.”

Beharry said it’s too early to say whether the staff members will be disciplined.

Global News:

You Might Also Read: 

The Insider Threat:

Employees That Cause Data Breaches:

 

« WikiLeaks: The Biter Bit
Wearable Sensor Tech For Beat Police Officers »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MetaCompliance

MetaCompliance

MetaCompliance is a cyber security and compliance organisation that helps transform your company culture and safeguard your data and values.

Cyber Security Recruiters

Cyber Security Recruiters

Cyber Security Recruiters is a niche recruiting firm who finds impact players for our clients in the Information Security Space.

Skkynet Cloud Systems

Skkynet Cloud Systems

Skkynet is a leader in real-time data systems for the secure management and control of industrial processes (SCADA) and embedded devices (M2M).

CyberOne

CyberOne

CyberOne (formerly Comtact) offer a full stack cybersecurity service to ensure our customers understand the cyber maturity of their organisation.

Enosys Solutions

Enosys Solutions

Enosys Solutions is an IT security specialist with a skilled professional services team and 24x7 security operations centre servicing corporate and public sector organisations across Australia.

SmartCyber

SmartCyber

SmartCyber is a company specializing in custom IT projects and Cybersecurity.

Cambridge Cybercrime Centre

Cambridge Cybercrime Centre

The Cambridge Cybercrime Centre is a multi-disciplinary initiative combining expertise from the Department of Computer Science and Technology, Institute of Criminology and Faculty of Law.

Knowledge Transfer Network (KTN)

Knowledge Transfer Network (KTN)

KTN links new ideas and opportunities with expertise, markets and finance through our network of businesses, universities, funders and investors.

Soffid

Soffid

Soffid provides full Single-Sign-On experience and full Identity and Access Management features by policy-based centralised orchestration of user identities.

Deduce

Deduce

Deduce use a combination of aggregate historical user data, identity risk intelligence, and proactive alerting to deliver a robust identity and authentication solution.

IntelliGenesis

IntelliGenesis

IntelliGenesis provide comprehensive cyber, data science, analysis, and software development services that provide tailored, secure solutions for your critical data and intelligence needs.

Womble Bond Dickinson

Womble Bond Dickinson

Womble Bond Dickinson is a transatlantic law firm, providing high-quality legal experience and outstanding personal service from key locations across the United Kingdom and United States.

PROVINTELL Cyber Security

PROVINTELL Cyber Security

PROVINTELL is a Managed Security Service Provider (MSSP) specialising in Next-Gen Cyber Defense and Response to detect and respond to threats.

Fletch

Fletch

Fletch’s AI tracks the evolving cybersecurity threat landscape by reading and interpreting every threat article every day and matching those threats to a company’s exposure.

AgilePQ

AgilePQ

AgilePQ visibly secures IoT devices worldwide to protect the privacy, safety, and well-being of all people.

Genix Cyber

Genix Cyber

Genix Cyber provides world-class cybersecurity services that protect systems, cloud applications, infrastructure, critical data, and networks from evolving cyber threats.