Canadian University Hit For $12m Phishing Scam

Uploaded on 2017-09-19 in TECHNOLOGY--Hackers, GOVERNMENT-Law Enforcement, FREE TO VIEW

MacEwan University said its IT systems are secure after the institution was defrauded of nearly $12 million in a phishing scam compounded by human error.

The university learned it was the victim of an attack last Wednesday, Aug. 23 after a series of fraudulent emails “convinced university staff to change electronic banking information for one of the university’s major vendors.”

The fraud led university staff members to transfer $11.8 million to a bank account they believed belonged to the vendor, the university said.

MacEwan University spokesperson David Beharry said three relatively low-level staff members were involved in the transfer. He said there was no process in place which required staff members to phone the vendor to confirm the request to change banking information, but that will change.

“We are looking at the levels of staffing it must go through for authorisation before somebody changes that,” he said. “There is going to be a secondary and tertiary level of approval before this goes on.

Beharry said three separate payments, ranging from $22,000 to $9.9 million, were made to the vendor between Aug. 10 and Aug. 19. He said he has not been given permission to release the vendor’s name, but said the company is local.

“What we were able to find out is, there were approximately 14 construction firms in the Edmonton area that were targeted,” Beharry said.

“The fraudsters produced these fake domains about these 14 organizations. The organisations would not have any knowledge that somebody is phishing.”

Beharry said all personal and financial information, and all transactions made with the university, are secure.

More than $11.4 million of the money has been traced to accounts in Canada and Hong Kong. The university said the funds have been frozen while it works with lawyers in an attempt to recover the money.

Beharry said the university is confident it will get the money back.

The rest of the money is still missing. Beharry admitted this “shouldn’t have happened in the first place.”

“I think twice about this, too, and I go, ‘How?'” And that’s why we need to fully investigate, because we need to get to the bottom of this to make sure it doesn’t happen again,” he said.

“I think it’s safe to say that there was a lot of disappointment and frustration. Because this came down to human error.”

The president of Kick Point, an Edmonton digital marketing and web design agency, said she was “flabbergasted” when she heard about what happened at MacEwan.

“I’m really shocked that an institution this large could be taken by a scam like this and in such a large amount,” Dana DiTomaso said.

She said there’s a perception that phishing scams mainly target personal information, like credit card and password information, but they also affect businesses.

“I think it’s more common than people let on because it doesn’t necessarily get the same kind of attention,” she said. “If a business loses a bunch of money, they’re either a private business and they don’t want to talk about it because it’s embarrassing, or they’re a public business and they have to talk about it but they don’t really want to.

“You don’t hear about the volume of issues that come up on a day-to-day basis.”

The most important advice she can give to anyone in a situation like this is to think twice.

“Think twice before you transfer a bunch of money to somebody else. If it seems iffy, if someone is asking you to do something different than what you would normally do, which is the case here or what seems to be the case here, then check in with somebody else, check in with a bunch of people.”

After the fraud was discovered, MacEwan conducted an audit of university business processes. Officials said “controls were put in place” to prevent similar incidents from happening.

Beharry said the university provides information to its staff, students and faculty about these types of scams and other cyber-security related issues. He said it’s important that the university reinforce its messaging.

External experts have been brought in to help the university in its investigation. The university said preliminary investigations reveal that controls in place around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed.

MacEwan University said final results of the review are expected within a few weeks.

The minister of advanced education and the officer of the auditor general have been made aware of the situation.

Advanced Education Minister Marlin Schmidt said he’s “very disappointed” the university fell victim to the crime, adding he’s instructed all university board chairs to review their financial controls.

“This is unacceptable and I’ve asked the board chair to report back to me by Sept. 15 with details on how this occurred,” Schmidt said in a statement.

“While I’m told that MacEwan has put improved internal financial controls to help prevent it from happening again, I expect post-secondary institutions to do better to protect public dollars against fraud.”

Beharry said it’s too early to say whether the staff members will be disciplined.

Global News:

You Might Also Read: 

The Insider Threat:

Employees That Cause Data Breaches:

 

« WikiLeaks: The Biter Bit
Wearable Sensor Tech For Beat Police Officers »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Qualys

Qualys

Qualys is a pioneer and leading provider of cloud security and compliance solutions.

Sopra Steria

Sopra Steria

Sopra Steria is a leading European information technology consultancy.

Identify Security Software

Identify Security Software

Our mission is to bring in a new age of autonomous human authentication in the security and identity space.

Blue Hexagon

Blue Hexagon

Blue Hexagon is a deep learning innovator focused on protecting organizations from cyberthreats.

ITsMine

ITsMine

ITsMine’s Beyond DLP™? solution is a leading Data Loss Prevention (DLP) solution used by organizations to protect against internal and external threats automatically.

Information & Communications Technology Association of Jordan (int@j)

Information & Communications Technology Association of Jordan (int@j)

The Information & Communications Technology Association of Jordan is a membership based ICT and IT Enabled Services (ITES) industry advocacy, support and networking association.

Finnish Security & Intelligence Service (SUPO)

Finnish Security & Intelligence Service (SUPO)

The Finnish Security and Intelligence Service is a government agency tasked with combating serious threats to national security in Finland.

Stone Forest IT (SFIT)

Stone Forest IT (SFIT)

Stone Forest IT specialises in providing advisory, implementation and managed services for IT infrastructure, IT security solutions, business applications (ERP and CRM) and business analytical tools.

e5 Lab

e5 Lab

e5 Lab seeks to develop solutions to challenges faced by the shipping industry including digital transformation, autonomous technologies and big data in order to promote safe and efficient operations.

Cufflink

Cufflink

Cufflink makes your business more secure, compliant and trusted. We limit the likelihood and impact of a data breach by controlling exactly what can and can't be done with personal data.

Artifice Security

Artifice Security

Artifice Security will demonstrate real-world attacks on your network, web applications, infrastructure, and personnel to expose your hidden security risks.

FPG Technologies & Solutions

FPG Technologies & Solutions

FPG Technology is a technology solutions provider and systems integrator, specializing in delivering IT Consulting, IT Security, Cloud, Mobility, Infrastructure solutions and services.

Mosyle

Mosyle

Businesses and educational institutions rely on Mosyle to manage and secure their Apple devices and networks.

Krista Software

Krista Software

Krista is an intelligent automation platform that combines iPaaS and Conversational AI to automate complete business processes across your teams and apps.

Black Girls In Cyber (BGiC)

Black Girls In Cyber (BGiC)

Black Girls In Cyber's mission is to increase industry awareness and diversity in cybersecurity, privacy, and STEM for women of color.

Appknox

Appknox

Appknox is the world’s most powerful plug-and-play security platform that helps developers, security researchers, and enterprises to build a safe and secure mobile ecosystem.