A fake supplier managed to con staff at Canada’s MacEwan University in Edmonton into transferring $11.8m as part of a phishing attack.
The university said a series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors.
So far more than $11.4m has been traced to bank accounts in Canada and Hong Kong, which have been frozen. The university said it was taking legal action in Montréal, London and Hong Kong to pursue the money.
It added in a statement that it did not know what had happened to the other $400,000, and that the full financial impact of the attack will not be clear until an investigation into the incident is complete.
“There is never a good time for something like this to happen,” said university spokesman David Beharry. “But as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident.
“We also want to emphasise that we are working to ensure that this incident will not impact our academic or business operations in any way.”
The university added that Edmonton Police Service, law-enforcement agencies in Montreal and Hong Kong, and corporate security units of banks involved with the e-transfers are working to resolve the criminal aspect of the case.
It has already launched an interim audit of business processes, and said new controls have been put in place to present further incidents. The university will decide whether further controls are necessary once the investigation has been carried out.
The university’s Internal Audit group said its preliminary assessment had found that controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed. Final results of the review are expected within a few weeks.
Read more: Procurement and cyber attacks: What you need to know