Canadian university loses $11.8m in email phishing scam
Employees at MacEwan University were led to believe a client was changing account details

A Canadian university has lost almost C$12 million after a phishing scam tricked staff into paying money into a fraudulent bank account.
Employees at MacEwan University in Alberta received emails that suggested one of its main clients was changing its banking details and that future funds should be routed to the new account.
The university said the change resulted in C$11.8 (7.5 million) being sent to the account thought to have belonged to the vendor, but realised soon after that it had been a phishing scam.
The majority of the funds has been traced to accounts in Canada and Hong Kong, according to a statement released by the university on Thursday. It added that the suspected accounts had been frozen pending civil action to recover the funds.
"There is never a good time for something like this to happen," said university spokesperson David Beharry. "But as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident."
Personal and financial information, including any details relating to recent transactions, were unaffected by the scam and remain secure, according to the statement.
The university said it is working with the Edmonton Police Service, as well as law enforcement agencies in Montreal, Hong Kong, and security departments of the banks affected.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Although controls have now been put in place to prevent a similar incident in the future, the university said it had identified that safeguards around the changing of banking details had been inadequate, and that numerous opportunities to detect the fraud had been missed.
Research conducted last year found that almost a third of employees were still falling for phishing scams of this kind, which is particularly concerning given that only one malicious email needs to bypass detection to cause serious damage to an organisation.
The university said it is working to ensure that the incident does not impact the academic and business operations of the institute, and that further updates will be released in the coming weeks.
Photo by WinterE229 / CC BY 2.0
Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.
-
The IT industry’s shift to circular, low-carbon solutions
Maximize your hardware investment and reach your sustainability goals with HP’s Renew Solutions
-
Lenovo ThinkPad X9 14 Aura Edition review
Reviews This thin and light ultraportable will draw you in with its vibrant screen – but it isn't as powerful as some of its competitors
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolen
Capita told the pension provider to “work on the assumption” that data had been stolen
-
Gumtree site code made personal data of users and sellers publicly accessible
News Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
-
Pizza chain exposed 100,000 employees' Social Security numbers
News Former and current staff at California Pizza Kitchen potentially burned by hackers
-
83% of critical infrastructure companies have experienced breaches in the last three years
News Survey finds security practices are weak if not non-existent in critical firms
-
Identity Automation launches credential breach monitoring service
News New monitoring solution adds to the firm’s flagship RapidIdentity platform
-
Neiman Marcus data breach hits 4.6 million customers
News The breach took place last year, but details have only now come to light
-
Indiana notifies 750,000 after COVID-19 tracing data accessed
News The state is following up to ensure no information was transferred to bad actors
-
Pearson fined $1 million for downplaying severity of 2018 breach
News The SEC found the London-based firm made “misleading statements and omissions” about the intrusion