Phishing Scam Nets Criminals $11.8 Million
Posted by: Timothy Weaver on 09/01/2017 02:26 PM
[
Comments
]
MacEwan University in Edmonton, Alberta has fallen for a business email compromise gambit (BEC). The scam relieved the university of $11.8 million.
The phishing email requested that the targeted staff member change the electronic banking information on file for one of the university’s major vendors. The staff member fell for it.
“There is never a good time for something like this to happen,” said university spokesman David Beharry, in a statement. “But as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident. Personal and financial information, and all transactions made with the university are secure. We also want to emphasize that we are working to ensure that this incident will not impact our academic or business operations in any way.”
Once discovered, the university pursued criminal and civil actions to track down the criminals and try to recover the money.
They were successful in recovering $11.4 million, which was located in bank accounts in Canada and Hong Kong.
“Preliminary assessment has determined that controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed,” the university said.
William MacArthur, threat researcher, RiskIQ, said: “These campaigns replicate apps used by these companies in their day to day operations, or spoof the email addresses of employees to trick employees into divulging highly sensitive and confidential information,” he said. “These attacks go after those who are the traditionally less security savvy folks in HR and finance departments. These people must be alerted to the dangers of phishing, and make sure they are verifying the authenticity of every single email asking for sensitive information—that means researching the purported company online and picking up the phone and calling if necessary.”
Edmonton Police Service, law-enforcement agencies in Montreal and Hong Kong, and the corporate security units of the banks are attempting to track down the criminals involved in the scam.
Source: Info Security
The phishing email requested that the targeted staff member change the electronic banking information on file for one of the university’s major vendors. The staff member fell for it. “There is never a good time for something like this to happen,” said university spokesman David Beharry, in a statement. “But as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident. Personal and financial information, and all transactions made with the university are secure. We also want to emphasize that we are working to ensure that this incident will not impact our academic or business operations in any way.”
Once discovered, the university pursued criminal and civil actions to track down the criminals and try to recover the money.
They were successful in recovering $11.4 million, which was located in bank accounts in Canada and Hong Kong.
“Preliminary assessment has determined that controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed,” the university said.
William MacArthur, threat researcher, RiskIQ, said: “These campaigns replicate apps used by these companies in their day to day operations, or spoof the email addresses of employees to trick employees into divulging highly sensitive and confidential information,” he said. “These attacks go after those who are the traditionally less security savvy folks in HR and finance departments. These people must be alerted to the dangers of phishing, and make sure they are verifying the authenticity of every single email asking for sensitive information—that means researching the purported company online and picking up the phone and calling if necessary.”
Edmonton Police Service, law-enforcement agencies in Montreal and Hong Kong, and the corporate security units of the banks are attempting to track down the criminals involved in the scam.
Source: Info Security
Comments
