MacEwan University in Edmonton, Alberta has been defrauded of $11.8 million, thanks to a phishing attack.
The university uncovered the issue on Aug. 23.
A member or members of the university’s staff fell for a classic
business email compromise gambit (BEC) after receiving a request to purportedly change the electronic banking information on file for one of the university’s major vendors. Believing the email to be legitimate, the staff made that change without verifying the veracity of the sender, resulting in a transfer of funds into a bank account controlled by the bad actors.
“There is never a good time for something like this to happen,” said university spokesman David Beharry, in a
statement. “But as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident. Personal and financial information, and all transactions made with the university are secure. We also want to emphasize that we are working to ensure that this incident will not impact our academic or business operations in any way.”
Immediately after discovering the fraud, the university began to pursue criminal and civil actions to trace and recover the funds. It was able to track down more than $11.4 million of the stolen money, found to be in bank accounts in Canada and Hong Kong, the university said. Those funds have been frozen and the university is working with legal counsel in Montreal, London and Hong Kong to pursue civil action to recover them; the status of the balance of the funds remains unknown.