Fake emails caused the MacEwan University in Alberta to lose nearly $12M. The fake emails were disguised as a legitimate email and asked the university workers to change the electronic banking information details for one of the school’s major vendors.
A Series of Fake Emails
A phishing attack defrauded an Alberta university of $11.8 million when the university staff unknowingly paid millions of dollars online to a company they thought was one of their vendors.
MacEwan University spokesperson David Beharry said that what happened was an administrative error and that they didn’t have safeguards in place that could have prevented it from happening. As a result, Beharry shares that the university will now be implementing a secondary and tertiary level of approval.
Lack of Certain Precautions Led to Fraud
When asked why certain safeguards were not part of their protocol before the fraud took place, the spokesperson said that they are seriously looking into the matter now.
The scam was pulled off successfully when perpetrators made a website that looked closely like the domain site of one of the vendors used by the university. The fraudsters used the fake website to impersonate the vendors and to ask the university to pay their accounts payable to a new bank account which is under the control of the fraudsters. Over a period of 9 days, 3 MacEwan University staffers made 3 separate payments totaling $11.8 million. The 3 payments were $1.9 million, followed by $22,000, and lastly, $9.9 million. No one realized the university was making payments to a fake account until the real vendor called days later asking to be paid.
Investigations Point to the Truth
The 3 university employees who made the payments were not high-level staffers, shared Beharry. He did not disclose if the staff members were reprimanded or suspended but said that police investigations and internal investigations are on-going. He did add that the university does not think that there was some collusion and said that they believe what happened was a case of human error.
Beharry declined to identify the vendor faked by the fraudsters. He instead shared that some construction firms were also impersonated in similar attacks online.
Most of the money was traced to a Montreal bank account and 2 other accounts based in Hong Kong. Actions are currently being taken to freeze the Hong Kong bank accounts while $6.3 million was seized from the account based in Montreal. Beharry adds that they are confident that the money will be recovered although it would take some time.
Major Security Review
The university reviewed their financial and IT systems and found that both were secure. They also shared that they would be able to meet their financial commitments to the vendor involved and others.
Advanced Education Minister Marlin Schmidt said that he is very disappointed that a university was victimized by a phishing scam. He further said that he expects all university board chairs to conduct a review of their financial controls. He issued a statement that he asked the university board chair to report the details as to how the fraud occurred.
Do you suspect that you are being targeted for a similar scam? Or do you need help setting precautions against similar fraud? Our private investigation services will give you the answers and the help you need. Contact us immediately for an obligation-free initial consultation.