“On Wednesday, August 23, MacEwan University discovered it had been the victim of a phishing attack. A series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors. The fraud resulted in the transfer of [Canadian] $11.8 million to a bank account that staff believed belonged to the vendor,” the Canadian university shared.
After the fraud was discovered, the university conducted an audit of business processes through its internal audit group and with the help of outside experts.
“Preliminary assessment has determined that controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed,” they noted.
Since them, additional controls were put in place to prevent further incidents.
Once the fraud was discovered after the real vendor complained of non-payment, the accounts to which the funds were sent were traced to Canada and Hong Kong, and local law enforcement agencies were contacted.
Corporate security units of banks involved with the e-transfers were also notified, and they managed to freeze the funds. The university is working with legal counsel in Montreal, London and Hong Kong to pursue civil action to recover the money.
No further details about the phishing attack were revealed, but it’s obvious this is a variant of the business email compromise (BEC) scam: the so-called “payment instruction switch” or “the supplier swindle.”
“There is never a good time for something like this to happen,” said university spokesman David Beharry, “but as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident. Personal and financial information, and all transactions made with the university are secure. We also want to emphasize that we are working to ensure that this incident will not impact our academic or business operations in any way.”