EDMONTON—An Alberta university says it has been defrauded of $11.8 million in a so-called “phishing” attack, admitting it didn't have safeguards in place as staffers unwittingly paid out millions of dollars online.
“This is an administrative error,” David Beharry, spokesman for MacEwan University, said Tuesday.
“We have ensured that there will now be a secondary and tertiary level of approval.”
Beharry was asked why safeguards were not in place beforehand.
“That is something we are seriously looking at,” he replied.
He said the scam occurred when fraudsters created a website that resembled the domain site of one of the university's major vendors.
Using that site, the fraudsters impersonated the vendors, asking the university to transfer accounts payable to a new bank account the fraudsters controlled.
Three staffers at MacEwan made three payments to the bogus account over a nine-day period ending Aug. 19.
The university paid out $1.9 million, $22,000, and finally $9.9 million.
The university did not realize what had happened until days later when the vendor called asking to be paid.
Beharry said the three employees involved were not high-level staffers, but wouldn't say if they had been suspended or reprimanded.
He said an internal investigation and police investigation are underway, but added: “The university does not believe there has been any sort of collusion.”
“We really believe this is simply a case of human error,” he stressed.
Beharry would not identify the vendor involved, but said a number of construction firms have been impersonated in similar online “phishing” attacks.
He said most of the missing money—$11.4 million—has been traced to a bank account in Montreal and to two accounts in Hong Kong.
Beharry said $6.3 million has been seized from the account in Montreal, and actions are underway to freeze the two accounts in Hong Kong.
“We are fairly confident that we will be able recover those funds,” he noted.
“It's a question of how long.”
Beharry said a review found the IT and financial systems safe and secure, and added the university will be able to meet its financial commitments to the vendor and others.
Advanced Education minister Marlin Schmidt said he was “very disappointed” the university fell victim to the crime, adding he has instructed all university board chairs to review their financial controls.
“This is unacceptable and I've asked the board chair to report back to me by Sept. 15 with details on how this occurred,” Schmidt said in a statement.
“While I'm told that MacEwan has put improved internal financial controls to help prevent it from happening again, I expect post-secondary institutions to do better to protect public dollars against fraud,” he added.