News / Edmonton

MacEwan University defrauded nearly $12 million in phishing scam

According to a spokesperson, a series of fake phishing emails convinced university staff to change the banking information for one of their major vendors

MacEwan University spokesperson David Beharry

Omar Mosleh / Metro

MacEwan University spokesperson David Beharry

MacEwan University is out nearly $12 million dollars due to an online phishing scam.

On August 23, MacEwan officials discovered the university was the victim of a phishing scam, which is when a fraudster convinces someone to send personal or financial information by posing as a reputable company. A series of fake emails convinced university staff to change electronic banking information for one of the university’s major vendors.

According to MacEwan spokesperson David Beharry, the fraud resulted in the transfer of $11.8 million to an account staff believed belonged to the vendor.  

“There was a lot of disappointment and frustration because this came down to human error … We need to find out what went wrong so this never happens again,” he said at a media availability on Thursday.

The funds have been traced to bank accounts in Montreal and Hong Kong. About $11.4 million has been frozen, but the status of the balance of funds is currently unknown.

University spokesperson David Beharry said three individuals from MacEwan were involved in the error and they do not believe it was an inside job. The payments were sent in three transactions.

The university is working with Edmonton Police Service, law enforcement agencies in Montreal and Hong Kong as well as the corporate security units of the banks involved.

They are also working with legal counsel in Montreal, London and Hong Hong to attempt to recover the money.

“It’s always risky … we have to go through the legal process, but we are fairly confident we’ll be able to recover those funds,” Beharry said.

Once the scam was discovered, MacEwan says they immediately conducted an interim audit of business practices and are putting in tighter controls to prevent future similar incidents.

“We have ensured there is going to be a secondary and tertiary level of approval … We are looking at the levels of staffing it must go through for authorization.”

“It’s a huge issue. And that’s why we’re taking this so seriously,” Beharry said.

According to a preliminary assessment, the university says they have determined controls around how staff changed vendor banking information were inadequate and that “a number of opportunities” to identify the fraud were missed.

Beharry said their information technology systems are secure, and personal and financial information held by the university is not at risk.

More on