City treasurer tricked into wiring $100K US to fraudster

City treasurer Marian Simulikfell for a "fake CEO scam" and wired more than $100,000 to a fraudster last summer, according to a startling report from Ottawa's auditor general released Monday afternoon.

Many people receivesuspicious emailsasking for money, a practice known as phishing. Butthescam perpetrated on Simulik is known as "whaling" because it targets big fish, like CEOs and chief financial officers.

And that's what happen to Simulikon July 6, when she received an emailthat appeared to come from city manager Steve Kanellakos, asking her to pay a city supplier $97,797.20 US, currently worth about $130,000 Cdn.

She searched the Internet for the IT supplier and assumed the payment has something to do with an overhaul of the ottawa.ca website.

After a few back-and-forth emails with the fake city manager,Simulik sent the requested amount off to a U.S. bank account.

The entire transaction took about four hours, from 10:30 a.m to 2:30 p.m.

City treasurer tricked into wiring nearly $100K US to fraudster

6 years ago

Duration 1:11

Marian Simulik scammed by email that appeared to come from city manager.

The email should have raised suspicion. The auditor said that neither the current, nor the past city manager can recall a single instance in which he had emailedSimulik to wire money to a supplier. As well, one of the emails from the fake city manager said he didn't want the treasurer "discussing it with anybody in the office, any questions please email me."

After the money was wired to the U.S., the fraudstertransfered it from the one U.S. bank account to another. It turns out thatsecond U.S. accountwas being monitored by the U.S. secret service, which let the City of Ottawa know on Aug. 3 that it had been the subject of a fraud scheme.

The fraud is not before the courts, and it appears some of the money lost through the fraud may be recovered.

City treasurer fell victim last summer to fake CEO scam

6 years ago

Duration 0:18

City manager Steve Kanellakos explains why auditor general Ken Hughes didn't reveal the fraud sooner.

Emotional statement

Despite senior staff and coucillors going to great lengths to point out how respected Simulik is in her field and at the city, the treasurer is embarrassed by the incident.

She made a brief, emotionalstatement to the committee, in which she said she has prided herself "for responsible and professional stewardship of taxpayers' money for the last 28 years.

"That I should be the target and victim of this sophisticated attack has affected me deeply both professionally and personally," she said.

Local police didn't investigate

Simulikhad also discovered the fraud.

A few days after transferring the $100,000, she received another request again, appearingto come from Kanellakos for another $150,000 to the same supplier. But this email arrived during the July 11 council meeting, so Simulik asked the real Kanellakos about the request. Of course, hedidn't know what she was talking about.

The treasurer reported the problem immediately, the committee heard. The auditor general began an internal investigation into the matter the next day, and the Ottawa police was notified.

However, according to the audit report, local police did little to investigate the matter, even though the treasurer was still in contact with the fraudster.

The officer assigned to the case "advised that he did not have any cyber-security experience" states the report. The city's technology security was told by police that as the wire transfer had been completed, there was nothing they could do.

When asked by CBCabout the case, an Ottawa police spokesperson said the fraud "was considered a 'business email compromised' case and there was insufficient evidence to identify a suspect. As such, the Ottawa Police investigation was closed."

Councillors kept in dark

Hughes also revealed that the treasurer's office had already been the target of another whaling attempt in the spring of 2018. In that incident, an email that looked to be from the CEO of the Ottawa Public Library requested a wire transfer from the deputy treasurer.

But when treasury staff asked for more information from library staff, they realized the email was a fake. However, the incident was not reported to the city's technology security folks or to the auditor general

Somecouncillors wanted to know why they were only hearing about these incidents almost a year after they occurred.

However, the auditor general said he could not make public his investigation while it was still on-going. And it was difficult for senior staff to speak with councillors about it, because the auditor had to investigate whether Simulik and Kanellakos were in any way colluding to defraud the city. Neither has been implicated in any way.

Some measures already taken

The city has since taken measures to avoid such phishing scams, including automatic warnings when emailscome from an external source. As well, no employee now has the ability to both create and approve a wire transfer.

The city is also working on a mandatory cyber-awareness training for city staff.