How MacEwan University got duped out of $11.8 million by scammers

Staff direct payments to fraudulent account after spear phishing attack
MacEwan University Profile Campus
MacEwan University’s campus in Edmonton. (MacEwan University)

The email didn’t just seem innocent, it also seemed familiar to the accounts payable employee at MacEwan University in Edmonton. It was from one of the local construction firms the public institution deals with, logo and all. There was new bank account information —could accounts payable please change it?

The staff and this supposed vendor communicated back and forth, from late June until a few weeks ago, in early August. One university employee was involved in this correspondence at first; two more were added.

Then vendor payments went through, as scheduled: $1.9 million from MacEwan accounts on August 10. Another $22,000 were transferred seven days later. Finally, $9.9 million went to this new bank account on August 19, a Saturday.

Wednesday morning, for the first time in this episode, came a phone call. The Edmonton-area vendor wanted to know why it never got its payments.

The massive fraud had already been perpetrated, $11.8 million winding its way into a TD bank account in Montreal and much of it then wired overseas, a university spokesman says. Investigators have traced $11.4 million of the money and frozen the suspect accounts in Quebec and Hong Kong. The school is pursuing civil legal action to recover the money. “The status of the balance of the funds is unknown at the time,” a MacEwan statement said about the other $400,000.

There’s likely not a person reading this online who hasn’t received a phishing attack, in which someone pretending to be a bank sends an email or text message, hoping to trick you into enter or re-enter account information or a credit card number. What hit MacEwan was a spear phishing attack, in which scammers impersonate a client or associate of the individual. In this case, the fraudster had cut-and-pasted the actual vendor’s logo, MacEwan spokesman David Beharry said. A phishing attacker will often cast several lures; in this case, investigators said 14 different Edmonton-area construction sites or firms were impersonated as part of this attempt. The successful trick led to financial transfers equivalent to more than five per cent of the publicly funded school’s 2016 operating budget, according to records.

This inflicted vastly more damage than the last well-documented online scam to successfully target an Alberta post-secondary school: last year, University of Calgary paid $20,000 in what’s known as a ransomware attack, in which cyberattackers manage to lock or encrypt network data until the victim pays up. While MacEwan is confident it can recoup the amounts already frozen, it will also incur legal fees on three continents as it tries to do so, Beharry says.

Spear phishing and phishing scams have been a known threat for years. It’s how Hillary Clinton campaign chairman John Podesta’s emails landed in the hands of Russian hackers last year. An impersonator of a Nebraska company’s CEO helped persuade its controller to send $17.2 million (US) to a Chinese bank in 2014, and a similar scheme led toymaker Mattel to mistakenly wire $3 million (US) to a fraudster in China. According to cybersecurity firm Cloudmark, the average large company loses $1.6 million in a spear phishing scam, and finance departments are most vulnerable.

Edmonton’s second-largest university knew enough about this problem to launch its own phishing awareness campaign last school year for staff and students, posters and all. Now, the school itself will become a cautionary tale about the perils and pratfalls of spear phishing cyberattacks.

With this ugly incident, MacEwan University becomes a cautionary tale of another sort: financial controls. These were not high-level employees ensnared by this phishing attack, the school spokesman says, though he did not identify them or clarify how the three employees were involved. From now on, one fraud and $11.8 million later, such vendor banking information changes will need to go through a second and third level of approval at MacEwan before the final clicks or keystrokes occur.