Canadian university loses $11.8m in email phishing scam

Employees at MacEwan University were led to believe a client was changing account details

A Canadian university has lost almost C$12 million after a phishing scam tricked staff into paying money into a fraudulent bank account.

Employees at MacEwan University in Alberta received emails that suggested one of its main clients was changing its banking details and that future funds should be routed to the new account.

The university said the change resulted in C$11.8 (7.5 million) being sent to the account thought to have belonged to the vendor, but realised soon after that it had been a phishing scam.

The majority of the funds has been traced to accounts in Canada and Hong Kong, according to a statement released by the university on Thursday. It added that the suspected accounts had been frozen pending civil action to recover the funds.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"There is never a good time for something like this to happen," said university spokesperson David Beharry. "But as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident."

Personal and financial information, including any details relating to recent transactions, were unaffected by the scam and remain secure, according to the statement.

The university said it is working with the Edmonton Police Service, as well as law enforcement agencies in Montreal, Hong Kong, and security departments of the banks affected.

Although controls have now been put in place to prevent a similar incident in the future, the university said it had identified that safeguards around the changing of banking details had been inadequate, and that numerous opportunities to detect the fraud had been missed.

Research conducted last year found that almost a third of employees were still falling for phishing scams of this kind, which is particularly concerning given that only one malicious email needs to bypass detection to cause serious damage to an organisation.

The university said it is working to ensure that the incident does not impact the academic and business operations of the institute, and that further updates will be released in the coming weeks.

Advertisement - Article continues below

Photo by WinterE229 / CC BY 2.0

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/security/ddos/28039/how-to-protect-against-a-ddos-attack
Security

How to protect against a DDoS attack

25 Oct 2019
Visit/data-breaches/29418/equifax-data-breach-cost-14-billion-so-far/page/0/1
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020