A Canadian university transferred more than $11 million CAD (around $9 million USD) to a scammer that university staff believed to be a vendor in a phishing attack, a university statement published on Thursday states.
Staff at MacEwan University in Edmonton, Alberta became aware of the fraud on Wednesday, August 23, the statement says. According to the university, the attacker sent a series of emails that convinced staff to change payment details for a vendor, and that these changes resulted in the transfer of $11.8 million CAD to the scammer. Most of the funds were traced to bank accounts in Canada and Hong Kong. The school is working with authorities in Edmonton, Montreal, London, and Hong Kong, the statement reads.
According to the university, its IT systems were not compromised and no personal or financial information was stolen. A phishing scam is not technically a “hack,” it should be noted, and only requires the attacker to convince the victim to send money.
According to university spokesperson David Beharry, about half of the stolen funds were traced and seized by Thursday afternoon.
“A large portion of the funds have been traced—$6,347,000—to a TD bank account in Montreal and were seized by a bailiff,” Beharry said over the phone. “Investigations revealed that the balance of the funds were wire transferred to two accounts in Hong Kong. The university has initiated civil and criminal proceedings. We have hired legal counsel in Montreal and Hong Kong, and they are working on recovering the $11 million.”
The school’s preliminary investigation found that “controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed.” Beharry would not elaborate on which processes were found to be inadequate or which warning signs were missed.
The stolen funds were destined for the vendor, Beharry said, and the loss of the funds will not affect MacEwan University programs or initiatives. The school is not revealing the identity of the vendor, but is seeking permission from the vendor to do so.
The full details of the investigation should be available in the coming weeks, the university statement says.