University defrauded when staff failed to verify emails requesting changes to banking information
April 5, 2018 (Courtesy of CBC.ca ) – After months of legal wrangling, Edmonton’s MacEwan University has recovered nearly all of the $11.8 million lost to an online phishing scam.
In a statement Wednesday, MacEwan said it was able to recover $10.92 million before concluding legal proceedings.
“MacEwan’s administration credits the recovery of such a large percentage of the funds — just over 92 per cent — to the swift response and diligent efforts of an internal team at the university, legal counsel in several jurisdictions, fraud units at the banks involved in the transactions and law enforcement agencies,” the statement said.
After it was discovered last August, the fraud prompted Advanced Education Minister Marlin Schmidt to instruct all university board chairs in the province to review their financial controls.
Wednesday’s statement from MacEwan said it now has stronger financial controls including mandatory IT security training for staff and improved vendor verification protocols. Schmidt said he’s glad to see the university has improved its safeguards.
“I’m very pleased that MacEwan has made significant progress on recovering the money, as well as the improvements that they have made in their financial processes and control,” Schmidt told reporters at the legislature.
“We raised some significant concerns last summer when this issue came to light and we’re very pleased with the progress that they’re making.
The university was defrauded last summer when staff failed to verify as legitimate emails requesting a change in banking information for one of its vendors.
Three payments were made to a fraudulent account: one on Aug. 10 for $1.9 million; another on Aug. 17 for $22,000 and a third on Aug. 19 for $9.9 million.
MacEwan discovered the fraud after the legitimate vendor, a construction company, called to ask why it hadn’t been paid.
At the time, MacEwan spokesperson David Beharry said most of the missing money — $11.4 million — was traced to a bank account in Montreal and to two accounts in Hong Kong. He said $6.3 million was seized from the Montreal account and action was taken to freeze the two Hong Kong accounts.
He also said three employees involved were not high-level staffers and the university did not believe there was any collusion. He did not say if the three had been suspended or reprimanded.
On Wednesday, Beharry said auditors determined human error made the scam possible.
“We didn’t have the proper controls in place,” Beharry said. “Since then we have changed that, the reporting structure. The reporting structure has to go through a manager or a director, so there’s multiple levels of checks and balances now.
“The university looked at all its processes after this and we knew we were at fault, and that’s why I’m here to tell you that it was our fault and we accept that.”
The Edmonton Police Service and other police agencies are still investigating the fraud.
No charges have been laid in the case, police said.
