MacEwan University Defrauded Out of $11.8mn in Phishing Attack

Written by

MacEwan University in Edmonton, Alberta has been defrauded of $11.8 million, thanks to a phishing attack.

The university uncovered the issue on Aug. 23.

A member or members of the university’s staff fell for a classic business email compromise gambit (BEC) after receiving a request to purportedly change the electronic banking information on file for one of the university’s major vendors. Believing the email to be legitimate, the staff made that change without verifying the veracity of the sender, resulting in a transfer of funds into a bank account controlled by the bad actors.

“There is never a good time for something like this to happen,” said university spokesman David Beharry, in a statement. “But as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident. Personal and financial information, and all transactions made with the university are secure. We also want to emphasize that we are working to ensure that this incident will not impact our academic or business operations in any way.”

Immediately after discovering the fraud, the university began to pursue criminal and civil actions to trace and recover the funds. It was able to track down more than $11.4 million of the stolen money, found to be in bank accounts in Canada and Hong Kong, the university said. Those funds have been frozen and the university is working with legal counsel in Montreal, London and Hong Kong to pursue civil action to recover them; the status of the balance of the funds remains unknown.

Edmonton Police Service, law-enforcement agencies in Montreal and Hong Kong, and the corporate security units of the banks involved with the e-transfers are working to resolve the criminal aspect of the case. 

The university has conducted an interim audit of business processes, and said that controls were put in place to prevent further incidents.

“Preliminary assessment has determined that controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed,” the university said.

William MacArthur, threat researcher, RiskIQ, told us that having those controls—or at the very least, employee training on social engineering—would have made a big difference.

“These campaigns replicate apps used by these companies in their day to day operations, or spoof the email addresses of employees to trick employees into divulging highly sensitive and confidential information,” he said. “These attacks go after those who are the traditionally less security savvy folks in HR and finance departments. These people must be alerted to the dangers of phishing, and make sure they are verifying the authenticity of every single email asking for sensitive information—that means researching the purported company online and picking up the phone and calling if necessary.”

He also warned that phishing comes in many forms.

“It’s like a constant game of chess, except they have more pieces and always on the offensive,” he said. “They also evolve to keep up with the changes happening in everyday life. How we work and communicate, and the channels on which we do so, are always changing—as are the way we use sensitive personal and financial data. Phishing has spread beyond the inbox to mobile apps, social media, and instant messaging platforms (basically, anything that connects people) and replicate exactly the apps we trust with sensitive data every day to fool people.”


Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/


What’s hot on Infosecurity Magazine?