University loses $11.9m in phishing attack

Canada's MacEwan University has been lured into handing over C$11.8 million (A$11.9 million) to malicious actors after falling victim to a phishing attack.  

The university today revealed it had earlier this week been tricked into changing the electronic banking details for one of its major vendor partners through a series of fraudulent emails.

It resulted in the transfer of C$11.8 million to a bank account university staff had believed belonged to the vendor.

“There is never a good time for something like this to happen. But as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident," university spokesman David Beharry said in a statement.

"Personal and financial information, and all transactions made with the university are secure. We also want to emphasise that we are working to ensure that this incident will not impact our academic or business operations in any way.”

After discovering the fraud the university began pursuing efforts to recover the money.

It is working with the Edmonton police force as well as law enforcement in Montreal and Hong Kong and the affected banks to trace and recoup the funds.

So far it has managed to trace C$11.4 million to accounts in Canada and Hong Kong. The money has been frozen as lawyers attempt to recover the funds.

The university said it had no information on the status of the remaining balance at this time.

The theft is one of the largest disclosed cash heists to be perpetrated through a single phishing attack.

MacEwan said it has put in controls to prevent any recurrence and has established an internal audit group to investigate the matter.

“Preliminary assessment has determined that controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed,” the university said in a statement.