MacEwan University victim of $11.8 million phishing scam

An Edmonton university is working with authorities to recover the $11.8 million they lost in a phishing attack this August.

The RCMP qualifies phishing as fraudulent communications where scammers impersonate well-known institutions to dupe victims into offering up personal, sensitive, and financial information.

According to Global News, the scammers sent emails to MacEwan University claiming to be Clark Builders, a local construction company with which the university holds contracts.

The emails asked to have banking information changed so that payments could be made to new accounts. Three payments—$1.9 million, $22,000, and $9.9 million—were made, but when Clark Builders called to say they hadn’t received them, the university realized it had been defrauded, according to CBC.

In a statement, the university said it became aware of the incident on Aug. 23. Authorities have traced the missing payments back to bank accounts in Montreal and Hong Kong.

“These funds have been frozen and the university is working with legal counsel in Montreal, London and Hong Kong to pursue civil action to recover the money,” the statement said.

Carleton University computer science professor Anil Somayaji said this specific attack can be classified as a spear phishing scam.

Classic phishing attacks are fraudulent emails sent to millions of people, while spear phishing attacks might be sent to five or even one person, Somayaji said.

He added that spear attacks are dangerous since “the message that is constructed can be almost impossible for an end user to tell from a legitimate message, because it’s been crafted by hand and is intended for a specific person.”

According to Somayaji, phishing scams are becoming more common because organisations of all sorts are automating their processes and putting them online.

“When you automate a process, the natural tendency is to minimize the number of steps because you want things to go through,” Somayaji said. “Before, it was a paper form where you had to read it and copy information or something.”

Now it’s “click a button”,” he said, explaining that fewer vetting steps, in part, could make organizations more vulnerable.

Although Somayaji said there is no one-size-fits-all solution for phishing scam prevention, he suggested that implementing more human approvals throughout processes could help, but that they would involve increased costs.

“[Scammers] attack everyone. They attack universities because universities have a lot of money, but that’s the same for other Fortune 500 companies,” he said. “I don’t think that universities are necessarily better or worse than other enterprises about this”.

University of Calgary (U of C) was also a victim of a ransomware attack last year and paid $20,000 to regain access to their computer files. To raise awareness about cyber phishing, the university tested its student and employees about the convincing appearance of online scams earlier in March.

However, Linda Dalgetty, the university’s vice-president of finance and services, to the Charlatan that the education program had no connection with the attack that happened last year.

MacEwan is dealing with the attack as students are returning to class for the fall session, but is reassuring them that their information is safe.

“There is never a good time for something like this to happen,” university spokesman David Beharry said in a statement. “But as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident.”


Photo by Meagan Casalino