Fraudsters almost swindled the Royal Canadian Mint with payroll 'spoofing' scam

The Royal Canadian Mint fell for what’s known as a spear phishing scam and almost forked a former employee’s pay cheque over to a malicious actor. The details of the breach were included in a recently obtained access to information request.

Canadian Anti-Fraud Centre says spear-phishing scams increasingly difficult to investigate.

A "malicious actor" masquerading as a former Mint employee reached out to the Crown corporation's human resources department pretending to need a change to their bank account details. (Reuters)

The Royal Canadian Mint fell for what's known as a "spear-phishing" scam and almost forked over an employee's paycheque to fraudsters, according to a breach report obtained through access to information.

Spear-phishing is a type of fraud which sees swindlers carefully collect information on a target in order to impersonate them. It's one of the "most common and most dangerous attack methods" and it's getting increasingly difficult to investigate, says a bulletin issued by the Canadian Anti-Fraud Centre last month.

In the Mint's case, a "malicious actor" masquerading as a former Mint employee reached out to the Crown corporation's human resources department back in February. The scam artist requested a change to a real former employee's bank account information for payroll purposes, according to a copy of the incident report obtained by CBC News through access to information.

After some back-and-forth emails, a human resources worker at the Mint — thinking they were talking to the real former employee — changed the banking information. They also gave the fraudster a pay stub, as requested.

Luckily, the receiving bank rejected the payroll deposit. The funds were returned to the Mint and the former employee lost nothing.

The surrendered pay stub, however, included the former employee's address, employee number, payroll information (including annual salary) and the last four digits of her bank account.

"It's regrettable that there was a privacy breach," said Alex Reeves, senior manager of public affairs for the Mint. 

"We take this kind of thing very seriously and you can't let down your guard when it comes to preventing that sort of thing."

Significant losses are common

Jeff Thomson, a senior RCMP intelligence analyst with the Canadian Anti-Fraud Centre, said the agency is seeing a rise in payroll spoofing scams, a variation of spear-phishing.

The scam succeeds because it's hard to detect and exploits an existing relationship of trust, he said.

"Oftentimes it can result in significant losses," Thomson said. "It typically falls in our top two in terms of dollar loss in the amount of money that the victims can lose."

According to recent figures, more than a half a million dollars has been lost to spear-phishing and wire fraud scams so far this year.

A spokesperson for the Royal Canadian Mint says no money was lost in the spear-phishing attempt. (Brent Lewin/Bloomberg)

The Mint later found out the affected individual was a victim of identity theft and had been hit with fraudulent credit card activity. 

The report says the malicious actor (or actors) used the former employee's social insurance number and date of birth in those credit card transactions. The Mint said there's no evidence to suggest that information came from the Crown corporation.

The former employee has reached out to Ottawa Police and the Mint said it has cooperated with the investigation.

Thomson said spear-phishing scams are often international in scope and hard to investigate.

"So the tactics the fraudsters employ certainly make it more difficult to track them down," he said. "And it's challenging in investigating when you're crossing jurisdictions."

While spear-phishing emails can be sophisticated, Thomson said people should watch out for spelling errors, unsolicited messages or emails from high-ranking officials who aren't normally in contact with the subject. Other red flags in spear-phishing messages include requests for absolute confidentiality or attempts to ramp up pressure on the target.

Reeves said the Mint has taken corrective measures, including security and privacy training tailored to its human resources department.

"Phishing and scams like that are a concern facing organizations like ours on a regular basis," he said. "We have to be vigilant."


Catharine Tunney is a reporter with CBC's Parliament Hill bureau, where she covers national security and the RCMP. She worked previously for CBC in Nova Scotia. You can reach her at catharine.tunney@cbc.ca

Add some “good” to your morning and evening.

A variety of newsletters you'll love, delivered straight to you.

Sign up now


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Account Holder

Join the conversation  Create account

Already have an account?