MacEwan University defrauded of $11.8M in online phishing scam

An Edmonton university was defrauded of $11.8 million after staff failed to call one of its vendors to verify whetheremails requesting a change in banking information were legitimate.

MacEwanUniversity discovered the fraud on Aug. 23 after the legitimate vendor, a construction company, called to askwhy it hadn't been paid.

Three payments were made to the fraudulent account: one on Aug. 10for $1.9 million; another onAug. 17for $22,000 and a third on Aug. 19for $9.9 million.

Most of the money morethan $11.4 million has been traced to accounts in Montreal and Hong Kong, the university said in a news release Thursday.

Those funds havenowbeen frozen, the university said, adding it is working with legal counsel in Montreal, London and Hong Kong to pursue civil action to recover the money.The status of the rest of the missing money isn't known.

University spokespersonDavid Beharry said the scammers sentemailsthat looked legitimate.

"A domain site with the authentic logo was sent," Beharrytold reporters. "The individual asked us to change banking information from the vendor. That information was changed."

Advanced Education Minister Marlin Schmidt said in a statement he found it unacceptable that the university fell victim to this scam.

He's asked the chair of MacEwan'sboard of directors to report by Sept. 15 about how this could have happened.

"While I'm told that MacEwan has put improved internal financial controls to help prevent it from happening again, I expect post-secondary institutions to do better to protect public dollars against fraud," Schmidt said in a statement.

"That's why I've instructed all board chairs to review their current financial controls."

The president of MacEwanUniversity, Deborah Saucier, was not available to comment.

Authorities notified

The university described the fraud as a "phishing attack."

The Canadian Anti-Fraud Centre says "phishing" refers to internet scammerswho use email"lures" to fish for financial data. The scammers create fake emails that look legitimate. The emails are used to trick users into submitting personal, financial or password data.

Beharry said the fraudsters produced fake emails for 14 construction firms in the Edmonton area.

When the MacEwan fraud was discovered, the university notified authorities, including the Edmonton Police Service, law-enforcement agencies in Montreal and Hong Kong, and the corporate-security units of banks involved with the electronic transfer of funds.

The university said it has conducted an interim audit of business processes and has put in controls to prevent further incidents.

An investigationwill determine what permanent business-process controls will be put in place, the university said.

Its internal audit group has asked outside expertsto help in an "extensive multifaceted investigation" that has already started.

Students reassured

Final results of the review are expected within a few weeks.

MacEwan said is has notified "key stakeholders" including the advanced education minister and the auditor general's office.

Beharry said in the news release that the university wants to assure students that its information technology systems were not compromised.

"Personal and financial information, and alltransactions made with the university are secure. We also want to emphasize that we are working to ensurethat this incident will not impact our academic or business operations in any way."

• Court documents detail alleged frauds orchestrated by former NorQuest IT manager
• Massive unreported security breach, $2 million alleged fraud at NorQuest College
• Student charged with cyber crimes in U of A malware breach