author: ethan williams | staff writer
University says human error to blame
MacEwan University in Edmonton is in damage control after falling victim to an online “phishing” scam, in which three university employees authorized the transaction of millions of dollars to a fake company.
The staff at the university put through three separate transactions, ranging from several thousand to over nine million dollars to an account that disguised itself as a contractor the university had hired for work.
According to an online article published on Global News, the university sent the money to who they thought was Clark Builders, an Edmonton area construction company.
The university realized this was not the case when, after the transactions had gone through to the hackers, Clark Builders contacted the university to ask for payment for the work they had done.
When asked about the issue, MacEwan spokesperson David Beharry declined to comment, directing the Carillon to previous comments and releases he had put out regarding the issue.
Included in the same online article, Beharry says the other financial information within the university remains secure, and that this was the result of human error.
“The university does not believe there has been any sort of collusion. We really believe this is simply a case of human error, but there is an ongoing investigation,” stated Beharry in a previously released statement.
But this sort of scam is not uncommon and affects many businesses and people every day. Darren Sabourin is a cyber security expert in Regina, and says that it is very easy for people to fall victim, especially in large organizations, because of a lack of double checking.
“Either checks and balances have not been set up, or they’ve broken down. Sometimes, day to day, people get into a routine and they’re not as diligent in following the necessary processes because they believe that something malicious will never happen to them. In fact, when they do that, that’s when something can occur,” says Sabourin.
Sabourin also gave some insight into why MacEwan specifically may have fallen victim.
“This time of year, [August] any large business or corporation is, quite often, down to three-quarters or half of their staff. So, the people who are normally tasked with carrying out normal procedures in a company may be on vacation and there’s part-time people filling in.”
When asked if there are standard protocols in place for businesses to follow, Sabourin said that it depends on the size of transaction.
“Quite often, it depends on the amount of money. Most corporations that I’ve worked with have different types of accounting processes in place depending on the amount, so a person who works as a specialist may have certain financial authority, and a manager might have more. As you get more senior up to the executive level, their spending authority increases all the way up to a million dollars,” said Sabourin.
How exactly did the hackers get a hold of MacEwan’s money? Sabourin says they may have used high- and low-tech ways to mimic companies to try and get money.
“What we’re seeing now is people are actually going to the point of crafting specially designed websites and they’re actually creating their own email servers to allow these frauds to be perpetrated. They also get to know a little bit about a company through a phone call, and that one employee gives a little bit of information away, and they’ll call again in a few weeks and get a little bit more information. They then build up these intelligence packages against these companies.”
Sabourin mentions that the scammers will comb the websites of a company to get as much information as possible, even, in some cases, collecting personal information about clients.
As for how organizations and companies can protect themselves, Sabourin says they should, simply, have processes in place.
“Where decisions involve significant risk or large sums of money, additional checks and balances are mandatory. Not optional, they’re mandatory. This can include validation by internal business areas that the work was actually performed to a satisfactory level. With many companies that I’ve worked with, you have to get a hold of a person in the company [doing work for the company] and say ‘I have an invoice here and I need you to confirm that this work actually occurred.’”
In the meantime, Beharry said, in the online article, that they have been able to trace almost all funds lost to bank accounts both in Canada and in Hong Kong. The university was able to freeze the funds in the accounts, and are currently working with lawyers to obtain the money lost. Sabourin says that recovery of funds can happen.
“It depends on how the money was transacted. If you can act quickly enough, there quite often are ways to stop the actual funds from being cashed out at the other end. It’s following up in a prompt and efficient manner that quite often you can be a least partially successful in getting the money back.”
He warns, however, that it is getting increasingly easier for scammers to get their way.
“Understand, of course, that these things may occur in other countries and anywhere in the world because we live in a cyber world. It’s so easy to communicate by email and by Internet, and it’s so easy to commit fraudulent transactions from the other side of the world or from down the street.”