MacEwan phishing attack prompts caution

Alberta university taken for $11.8 million in targeted email fraud

Hugh Burley, manager of information security with TRU Information Technology Services. (Juan Cabrejo/The Omega)

On Aug. 23 MacEwan University was defrauded $11.8 million in a phishing cyberattack. The university received emails asking them to change account information for one of their vendors. University staff made the change without confirming that the messages came from the vendor they thought they were dealing with.

The Edmonton, Alta. post-secondary institution realized their mistake when the legitimate vendor contacted them to ask why they had not yet been paid. The money was then traced to accounts in Montreal and Hong Kong and has now been frozen in those accounts.

Hugh Burley the Manager of Information Security at Thompson Rivers University says that last year alone the information security office responded to about 12,000 phishing attempts.

Burley says that he thinks that problem with MacEwan was a lack of financial control and not following proper financial processes by verifying the source and getting approval from someone in a senior position before making a major change in where vendor payments are sent.

“In most financial organizations or departments, there will be a second person who has to double check things. You usually need authority from two people to make a major change like that,” Burley said. “We have talked to our AVP of finance Paul Manhas and our VP of finance and admin Matt Milovick and we aren’t really vulnerable that way. We have very good participation from faculty and staff in forwarding us suspicious stuff.”

Burley notes that the MacEwan phishing attack was pretty straightforward in nature and it is along the line of something TRU might receive.

“I think we are always vulnerable, but maybe not quite as much as MacEwan was,” Burley said.

Although it can be hard to know the legitimacy of an email, Burley said there are ways for potential victims to identify a phisher before it’s too late. He said not to trust the display name of the person who sent the email and always double check. He also suggested hovering over links to look at where they lead before clicking, checking for spelling errors, not opening any attachments and even considering the salutation at the top of the email.

“Usually if you get an email from your friend it will say ‘Hi Jenn, I just wanted to touch base on our dinner next week.’ So, if you get it from a phisher it might say ‘Hello TRU student’ or your email address or something like that,” Burley said.

Most phishing emails seem very urgent in order to entice people to click or send information without fully evaluating the situation.

“Don’t believe everything you see, just like any process where critical thinking is involved. You have to look at your email and other solicited information and see whether it’s realistic,” Burley said.

One of the keys to avoiding a phishing attack is not giving out any personal information via email.

“TRU has a policy of never asking for information by email. So, we’ll never ask you for your password,” Burley said.

Burley adds that if students or faculty receive any suspicious phishing emails, they can be forwarded to and they will help further evaluate if the email is safe to open or not.

“When in doubt contact us at information security. We are available to students, staff and faculty,” Burley said.