Canadian university loses $11.8m in email phishing scam

Employees at MacEwan University were led to believe a client was changing account details

A Canadian university has lost almost C$12 million after a phishing scam tricked staff into paying money into a fraudulent bank account.

Employees at MacEwan University in Alberta received emails that suggested one of its main clients was changing its banking details and that future funds should be routed to the new account.

The university said the change resulted in C$11.8 (7.5 million) being sent to the account thought to have belonged to the vendor, but realised soon after that it had been a phishing scam.

The majority of the funds has been traced to accounts in Canada and Hong Kong, according to a statement released by the university on Thursday. It added that the suspected accounts had been frozen pending civil action to recover the funds.

"There is never a good time for something like this to happen," said university spokesperson David Beharry. "But as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident."

Personal and financial information, including any details relating to recent transactions, were unaffected by the scam and remain secure, according to the statement.

The university said it is working with the Edmonton Police Service, as well as law enforcement agencies in Montreal, Hong Kong, and security departments of the banks affected.

Although controls have now been put in place to prevent a similar incident in the future, the university said it had identified that safeguards around the changing of banking details had been inadequate, and that numerous opportunities to detect the fraud had been missed.

Research conducted last year found that almost a third of employees were still falling for phishing scams of this kind, which is particularly concerning given that only one malicious email needs to bypass detection to cause serious damage to an organisation.

The university said it is working to ensure that the incident does not impact the academic and business operations of the institute, and that further updates will be released in the coming weeks.

Photo by WinterE229 / CC BY 2.0

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

CVS Health data breach leaves a billion records exposed
data protection

CVS Health data breach leaves a billion records exposed

16 Jun 2021
Millions of Volkswagen customers affected by data breach
data breaches

Millions of Volkswagen customers affected by data breach

14 Jun 2021
X-rated phishing attacks just keep growing
phishing

X-rated phishing attacks just keep growing

4 Jun 2021
Misconfigured cloud services exposed 100 million Android users' data
data breaches

Misconfigured cloud services exposed 100 million Android users' data

21 May 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
IT Pro Panel: Why IT leaders need soft skills
professional development

IT Pro Panel: Why IT leaders need soft skills

26 Jul 2021