City of Ottawa recovers more than 90% of funds lost in latest fraud transaction

Supported By:

Net Patrol International Inc.  Data Investigation and Forensic Services
Bankruptcy and Insolvency Trustees

Fraudsters hacked Salvation Army email to solicit funds from the city.

The City of Ottawa has managed to get back more than 90 per cent of the $558,000 it lost after fraudsters hacked the email of a non-profit supported by the city. 

To do so, the city said it hired outside legal counsel to expedite the recovery process, according to a memo released Wednesday. 

On April 19, the city filed a statement of claim in Toronto court that said fraudsters — still unknown to the city — hacked the email of the executive director of the Salvation Army Ottawa Booth Centre, Marc Provost, with the intent of defrauding the city. 

The fraudsters emailed one of the city’s program co-ordinators for partnerships and funding on March 23 requesting the city change the organization’s banking details to add a TD bank account. 

The email — from Provost’s real email — included a letter with details about the new bank account on TD bank letterhead, the claim said. 

It also looked like it copied other senior members of the Booth Centre team, but the people behind the hack had registered the false domain name of, which is very similar to the Salvation Army Ottawa Booth Centre’s real domain:, and used emails attached to the fake domain.

After a series of emails were exchanged, the city transferred the $558,233 on April 1. 

Stolen email login used in Nigeria, claim says

On April 11, this time using a fake email address for the director, the fraudsters thanked the city for the money and attempted to get the city to deposit more money into the TD bank account. They tried again on April 14. 

The city discovered the fraud on April 12 and contacted its bank, the Royal Bank of Canada, according to the statement of claim. RBC told the city the TD account in question was frozen by the next day, but the funds had already been transferred out. 

Looking into the incident, the city found Provost had not sent the email, but rather the Salvation Army had been hacked and the TD bank account did not belong to the organization. 

Its investigation also found Provost’s credentials were used to log into the Salvation Army’s network in Lagos, Nigeria, according to the claim. 

As part of the city’s legal filings naming several banks, the financial institutions were required to trace the money and temporarily freeze any accounts where the stolen funds were deposited, as well as disclose any relevant information discovered during the tracing process. 

The Salvation Army did not say whether its own finances have been affected by the hack, only that it was working with third-party experts to investigate the incident. 

This is at least the second time the city has lost thousands of dollars as a result of a fake email. In 2019 the city treasurer acted on an email from someone pretending to be the city manager and wired around $130,000 Cdn to a U.S. bank account. 

In this latest incident, the city was able to recover more than half of the stolen funds by April 22, and as of Wednesday it now has $523,000 back — 93.7 per cent of the total.

In Wednesday’s memo, the city said it expects nearly 100 per cent of the funds to be recovered.

This article was originally sourced by