Scammer makes CAD $11 million off Canadian university in phishing hack

Reading time: 4 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

The education sector is one of the most targeted by cybercriminals, partly because it often overlooks compliance with government regulations on security and data protection. Unlike other industries, education is not as well-trained on security guidelines, has little device protection in place, and unwittingly encourages a bring-your-own-device environment.

Lacking proper security training, employees are more likely to click on a malicious link or fall victim to phishing or ransomware attacks. This was the case in Canada when MacEwan University in Edmonton, Alberta, fell victim to a phishing attack and transferred over CAD $11 million to a scammer impersonating a vendor, the university confirmed on Thursday, after detecting the fraud on August 23.

The Ministry of Advanced Education and the Office of the Auditor General were immediately informed of the phishing attack.

“There is never a good time for something like this to happen,” said university spokesman David Beharry, “but as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident. Personal and financial information, and all transactions made with the university are secure. We also want to emphasize that we are working to ensure that this incident will not impact our academic or business operations in any way.”

University staff was deceived by a number of emails asking them to change electronic banking details for one of their vendors. As the money was traced to accounts in Canada and Hong Kong, authorities in Edmonton, Montreal, London and Hong Kong are working closely with the institution to get the money back, as well as seeking more insights on the scam. For now, the funds have been frozen.

"A large portion of the funds have been traced—$6,347,000—to a TD bank account in Montreal and were seized by a bailiff," Beharry said in an interview with Motherboard.

"Investigations revealed that the balance of the funds were wire transferred to two accounts in Hong Kong. The university has initiated civil and criminal proceedings. We have hired legal counsel in Montreal and Hong Kong, and they are working on recovering the $11 million."

The scam did not affect  IT systems and no personal or financial data was leaked. MacEwan University aims to retrieve the money as soon as possible, and assures students that its programs and initiatives will not be compromised.

The university said the fraud could have been detected earlier, but a number of opportunities were missed. To avoid compromising the investigation, no details have been provided. More information will be released once the investigation is over. The vendor’s name hasn’t been made public, as the university is waiting for its approval.

Organizations must accept that the next attack is right around the corner. Because they are the most frequent victims, schools and universities truly need to step up their game, as the number of phishing attacks has increased in the past year, as has all malicious activity. Phishing attacks are among the most lucrative deception methods and have grown in complexity, making them more difficult to detect, especially without proper security training.