MacEwan University defrauded of $11.8M in online phishing scam

An Edmonton university lost $11.8 million after staff failed to call one of its vendors to verify whether emails requesting a change in banking information were legitimate.

Some funds still missing, most traced to bank accounts in Canada and Hong Kong

MacEwan University is trying to get millions of dollars in money back after it was the victim of an email phishing attack. (MacEwan University)

An Edmonton university was defrauded of $11.8 million after staff failed to call one of its vendors to verify whether emails requesting a change in banking information were legitimate.

MacEwan University discovered the fraud on Aug. 23 after the legitimate vendor, a construction company, called to ask why it hadn't been paid. 

Three payments were made to the fraudulent account: one on Aug. 10 for $1.9 million; another on Aug. 17 for $22,000 and a third on Aug. 19 for $9.9 million.

Most of the money — more than $11.4 million — has been traced to accounts in Montreal and Hong Kong, the university said in a news release Thursday.

Those funds have now been frozen, the university said, adding it is working with legal counsel in Montreal, London and Hong Kong to pursue civil action to recover the money. The status of the rest of the missing money isn't known.

University spokesperson David Beharry said the scammers sent emails that looked legitimate. 

"A domain site with the authentic logo was sent," Beharry told reporters. "The individual asked us to change banking information from the vendor. That information was changed." 

Advanced Education Minister Marlin Schmidt said in a statement he found it unacceptable that the university fell victim to this scam. 

He's asked the chair of MacEwan's board of directors to report by Sept. 15 about how this could have happened. 

"While I'm told that MacEwan has put improved internal financial controls to help prevent it from happening again, I expect post-secondary institutions to do better to protect public dollars against fraud," Schmidt said in a statement.

"That's why I've instructed all board chairs to review their current financial controls."

The president of MacEwan University, Deborah Saucier, was not available to comment. 

Authorities notified

The university described the fraud as a "phishing attack."

The Canadian Anti-Fraud Centre says "phishing" refers to internet scammers who use email "lures" to fish for financial data. The scammers create fake emails that look legitimate. The emails are used to trick users into submitting personal, financial or password data.

Beharry said the fraudsters produced fake emails for 14 construction firms in the Edmonton area.

When the MacEwan fraud was discovered, the university notified authorities, including the Edmonton Police Service, law-enforcement agencies in Montreal and Hong Kong, and the corporate-security units of banks involved with the electronic transfer of funds.

The university said it has conducted an interim audit of business processes and has put in controls to prevent further incidents.

An investigation will determine what permanent business-process controls will be put in place, the university said.

Its internal audit group has asked outside experts to help in an "extensive multifaceted investigation" that has already started.

Students reassured

Final results of the review are expected within a few weeks.

MacEwan said is has notified "key stakeholders" including the advanced education minister and the auditor general's office.

Beharry said in the news release that the university wants to assure students that its information technology systems were not compromised.

"Personal and financial information, and all transactions made with the university are secure. We also want to emphasize that we are working to ensure that this incident will not impact our academic or business operations in any way."