Canadian university falls victim to email phishing scam, loses $9.5M to fraudsters

MacEwan University in Edmonton, Alberta has confirmed that it lost 11.8 million Canadian dollars (US $9.5 million) after falling victim to a phishing attack.

In a statement released Thursday, the university said that a series of fraudulent emails convinced staff to change electronic banking information for one of the institution’s major vendors. As a result of the fraud, $9.5 million was transferred to an account that staff believed belonged to the vendor.

An investigation into the incident, which was discovered on Aug. 23, is ongoing, although most of the funds have been traced to accounts in Canada and Hong Kong. “These funds have been frozen and the university is working with legal counsel in Montreal, London and Hong Kong to pursue civil action to recover the money,” the university said in a statement. “The status of the balance of the funds is unknown at this time.”


The eventual financial impact will not be known until the investigation is complete, according to MacEwan University. The Edmonton Police Service, law enforcement in Montreal and Hong Kong and the corporate security units of the banks involved in the e-transfers are working on the case, it said.

University officials say that MacEwan’s IT systems were not compromised by the incident and that personal and financial information and all transactions made with the university are secure.

Experts say that the incident underlines the huge threat posed by phishing scams.

“One thing has always been the same in phishing attacks: social engineering, i.e., luring people into clicking on a link and providing information so it can be captured and sent off to a drop zone,” explained William MacArthur, threat researcher at digital threat management firm RiskIQ, via email. “Phishing actors adjust the same way a security analyst would so it's like a constant game of chess, except they have more pieces and [are] always on the offensive.”


MacArthur noted that phishing has spread beyond the inbox to mobile apps, social media and instant messaging platforms.

"These kinds of email-borne impersonation spear-phishing attacks in various forms unfortunately happen all the time," said Matthew Gardiner, cyber security strategist at data security firm Mimecast, in an email to Fox News. "In particular the emails which spoof a C-level executive or a major vendor and direct someone in accounts payable to initiate a fraudulent wire transfer have proven to be very expensive."

"This particular series of phishing attacks against MacEwan University appears to be a Business Email Compromise attack, just another example of a rising tide of phishing scams targeting the education sector," added Simon Taylor, vice president of products at email security specialist Glasswall.  "It’s worth noting that this university attack occurred just days after the emergence of the notorious 'Onliner' spambot, a malicious phishing campaign that can easily bypass spam filters and has thus far has stolen more than 711 million valid email credentials."

Earlier this year, Google shut down a sophisticated phishing scam that targeted users by impersonating Google Docs.

Follow James Rogers on Twitter @jamesjrogers