Low-level MacEwan University staffers were tricked into transferring $11.8 million into scammers’ bank accounts in what one expert said is among the largest publicly disclosed phishing scams.
The majority of the money, $11.4 million, has been traced to bank accounts in Montreal and Hong Kong.
“We are fairly confident that we will be able to recover those funds, the $11.4 million,” MacEwan spokesman David Beharry said Thursday. “It’s a question of how long will it take for the university to retrieve that money.”
He said $6.3 million has been seized from the account in Montreal, and actions are underway to freeze the two accounts in Hong Kong.
The $11.8 million loss represents about one-10th of what MacEwan receives as an annual operating grant from the government of Alberta. In the 2015-16 financial year, the university received $118 million from the province out of its $237.1-million budget.
“I think it’s safe to say that there was a lot of disappointment and frustration because this came down to human error,” Beharry said.
The fraud was discovered Aug. 23 after a supplier said it had not been paid. Beharry would not identify the supplier.
Fraudsters had created a website that resembled the domain site of one of the university’s major supplier. Using that site, the fraudsters impersonated the supplier, asking the university to transfer accounts payable to a new bank account the fraudsters controlled.
Three MacEwan staffers made three payments to the bogus account over a nine-day period ending Aug. 19. The university paid out $1.9 million, $22,000, and finally $9.9 million.
Beharry would not say if the staffers have been disciplined or fired.
“The university does not believe there has been any sort of collusion,” he said. “We really believe this is simply a case of human error.”
The university is working with lawyers in Montreal, London and Hong Kong on civil action to recover the money. The status of the remaining $400,000 is not known.
MacEwan conducted an audit of its business processes after discovering the fraud and put controls in place “to prevent further incidents.” An internal audit group will also investigate the incident.
An early assessment determined that “controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed.”
David Shipley, CEO of Beauceron Security and former cyber-security lead at the University of New Brunswick, said MacEwan was likely the victim of what’s known as a business email compromise scam.
“It’s the single largest publicly disclosed amount I’ve seen,” he said. “That’s not to say there aren’t private companies that aren’t required to disclose this stuff that haven’t had (larger) losses.”
Shipley said Facebook and Google fell victim to similar scams, transferring “in the $100-million range” after being invoiced by fake suppliers.
“This is the intersection of people, process and technology,” he said. “People in that they got tricked, process in that being able to transfer that amount of money should have required additional financial controls. Technology played the smallest role — as in why didn’t their email filter it or alert them that (the sender) wasn’t who it said it was.”
Beharry said the university has funds to pay the supplier. The loss would not impact students, he said.
In a statement, Advanced Education Minister Marlin Schmidt said he is “disappointed” the university fell victim to the scam and has instructed all post-secondary institutions to review their financial controls.
“I expect post-secondary institutions to do better to protect public dollars against fraud,” Schmidt said.