In a major phishing scam, a scammer conned MacEwan University in Canada of 11.8 million CAD after he convinced employees to change payment details for a vendor.
The University recovered a little of half of the lost money after it discovered the phishing scam and informed authorities.
In a classic case of the use of phishing techniques to perpetrate online fraud, a scammer recently conned MacEwan University in Edmonton, Canada of 11.8 million Canadian dollars after he convinced university employees to change payment details for a vendor.
The university has identified human error as the sole cause behind the scam. In an official statement, it said that “controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed.”
After the phishing scam was discovered, the university swung into action and by Thursday afternoon, recovered 6,347,000 CAD from the hacker’s acccounts located in Canada and Hong Kong. It is now working with authorites in Edmonton, Montreal, London, and Hong Kong to recover the remaining amount.
Even though the university had fallen victim to an online scam, it assured students and faculty that its IT systems were not compromised and that no personal or financial information were breached by the scammer. The university also confirmed that the scammer’s accounts were frozen and that it had initiated civil actions and a criminal investigation on the scam.
‘We also want to emphasize that we are working to ensure that this incident will not impact our academic or business operations in any way,’ said David Beharry, a spokesman for MacEwan University.
This incident reminds us of a similar episode when Evaldas Rimasauskas, a Lithuanian scammer, impersonated a vendor company named Quanta Computer and conned Google and Facebook of up to $100 million between 2013 and 2015.
However, unlike MacEwan University, Facebook and Google didn’t disclose the phishing scam to their investors since they felt the events weren’t significant enough to merit disclosure.
The incident also reinforces a growing belief among cyber security experts that educational institutions are being increasingly targeted by hackers either by perpetrating cyber-attacks or through phishing techniques.
In the UK, the police’ Action Fraud department recently revealed that cyber criminals are calling educational institutions and asking for staff members’ personal email addresses and phone numbers, claiming that they need to send them guidance forms that contain sensitive information.
The scammers claimed that they were from the “Department of Education” – although the UK government’s department for schools is called the Department for Education.
In February, a cyber-attack on Trinity College Dublin resulted in hackers getting their hands on €1 million from the institution’s coffers, as well as sensitive details belonging to the institution’s donors.
“We are writing to tell you that your personal information may have been compromised by an email attack on Trinity Foundation and we strongly encourage you to be vigilant of any suspicious emails you receive. An email account belonging to one of Trinity Foundation’s employees appears to have been compromised by an apparent phishing/malware attack. It seems that the attackers had access to this email account from February 7, 2017,” said the Trinity Foundation in a letter to affected donors.