MacEwan University wastes $11.8 million after staff failed to call one of its vendors to confirm whether emails requesting a change in banking information were legitimate.
The university said that the staff was tricked by fraudulent emails requesting them to change electronic banking information for one of the school’s major vendors.
According to the University:
“On Wednesday, August 23, MacEwan University discovered it had been the victim of a phishing attack. A series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors. The fraud resulted in the transfer of [Canadian] $11.8 million to a bank account that staff believed belonged to the vendor,”
Three payments were performed to the fraud account: The first one on Aug. 10 for $1.9 million; the second payment on Aug. 17 for $22,000 and a third on Aug. 19 for $9.9 million. The money has been traced to accounts in Montreal and Hong Kong, those funds have now been frozen.
After the fraud was uncovered, the university conducted an audit of business processes through its internal audit team and with the help of outside security professionals.
“There is never a good time for something like this to happen,” said university spokesman David Beharry, “but as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident. Personal and financial information, and all transactions made with the university are secure. We also want to emphasize that we are working to ensure that this incident will not impact our academic or business operations in any way.”