City treasurer tricked into wiring $100K US to fraudster
Marian Simulik scammed by email that appeared to come from city manager
City treasurer Marian Simulik fell for a "fake CEO scam" and wired more than $100,000 to a fraudster last summer, according to a startling report from Ottawa's auditor general released Monday afternoon.
Many people receive suspicious emails asking for money, a practice known as phishing. But the scam perpetrated on Simulik is known as "whaling" because it targets big fish, like CEOs and chief financial officers.
And that's what happen to Simulik on July 6, when she received an email that appeared to come from city manager Steve Kanellakos, asking her to pay a city supplier $97,797.20 US, currently worth about $130,000 Cdn.
She searched the Internet for the IT supplier and assumed the payment has something to do with an overhaul of the ottawa.ca website.
After a few back-and-forth emails with the fake city manager, Simulik sent the requested amount off to a U.S. bank account.
The entire transaction took about four hours, from 10:30 a.m to 2:30 p.m.
The email should have raised suspicion. The auditor said that neither the current, nor the past city manager can recall a single instance in which he had emailed Simulik to wire money to a supplier. As well, one of the emails from the fake city manager said he didn't want the treasurer "discussing it with anybody in the office, any questions please email me."
After the money was wired to the U.S., the fraudster transfered it from the one U.S. bank account to another. It turns out that second U.S. account was being monitored by the U.S. secret service, which let the City of Ottawa know on Aug. 3 that it had been the subject of a fraud scheme.
The fraud is not before the courts, and it appears some of the money lost through the fraud may be recovered.
Despite senior staff and coucillors going to great lengths to point out how respected Simulik is in her field and at the city, the treasurer is embarrassed by the incident.
She made a brief, emotional statement to the committee, in which she said she has prided herself "for responsible and professional stewardship of taxpayers' money for the last 28 years.
"That I should be the target and victim of this sophisticated attack has affected me deeply both professionally and personally," she said.
Local police didn't investigate
Simulik had also discovered the fraud.
A few days after transferring the $100,000, she received another request — again, appearing to come from Kanellakos — for another $150,000 to the same supplier. But this email arrived during the July 11 council meeting, so Simulik asked the real Kanellakos about the request. Of course, he didn't know what she was talking about.
The treasurer reported the problem immediately, the committee heard. The auditor general began an internal investigation into the matter the next day, and the Ottawa police was notified.
However, according to the audit report, local police did little to investigate the matter, even though the treasurer was still in contact with the fraudster.
The officer assigned to the case "advised that he did not have any cyber-security experience" states the report. The city's technology security was told by police that as the wire transfer had been completed, there was nothing they could do.
When asked by CBC about the case, an Ottawa police spokesperson said the fraud "was considered a 'business email compromised' case and there was insufficient evidence to identify a suspect. As such, the Ottawa Police investigation was closed."
Councillors kept in dark
Hughes also revealed that the treasurer's office had already been the target of another whaling attempt in the spring of 2018. In that incident, an email that looked to be from the CEO of the Ottawa Public Library requested a wire transfer from the deputy treasurer.
Some councillors wanted to know why they were only hearing about these incidents almost a year after they occurred.
However, the auditor general said he could not make public his investigation while it was still on-going. And it was difficult for senior staff to speak with councillors about it, because the auditor had to investigate whether Simulik and Kanellakos were in any way colluding to defraud the city. Neither has been implicated in any way.
Some measures already taken
The city has since taken measures to avoid such phishing scams, including automatic warnings when emails come from an external source. As well, no employee now has the ability to both create and approve a wire transfer.
The city is also working on a mandatory cyber-awareness training for city staff.