An Edmonton university says it was the victim of an email “phishing attack” that resulted in the transfer of $11.8 million to a bank account staff believed belonged to a vendor.
MacEwan University said “inadequate” controls on banking information played a role in the fraud, which was discovered Aug. 23.
The fraud involved three transactions of varying amounts, the university said. Several opportunities to identify the fraud were missed.
Most of the money — more than $11.4 million — has been traced to accounts in Canada and Hong Kong, the university said in a news release Thursday.
The funds have been frozen, the university said, adding it is working with legal counsel in Montreal, London and Hong Kong to pursue civil action to recover the money.
The status of the rest of the missing money isn’t known.
“A series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors,” the news release said.
When the fraud was discovered, the university notified authorities, including the Edmonton Police Service, law-enforcement agencies in Montreal and Hong Kong, and the corporate-security units of banks involved with the electronic transfer of funds.
The news release said the university has conducted an interim audit of business processes and has put in controls to prevent further incidents.
An investigation will determine what permanent business-process controls will be put in place, the university said.
Its internal audit group has asked outside experts to help in an “extensive multifaceted investigation” that has already started.
Final results of the review are expected within a few weeks.
MacEwan said is has notified “key stakeholders” including the advanced education minister and the auditor general’s office.
MacEwan spokesperson David Beharry said in the news release that the university wants to assure…