A Canadian University Fell For A Phishing Attack And Transferred $11.8 Million To A Random Bank Account

    The phishing attack included "the authentic logo and everything," according to a university spokesperson.

    A Canadian university says it fell for an email scam and ended up transferring $11.8 million to a bank account administrators thought belonged to a school vendor.

    MacEwan University / Via Facebook

    Edmonton's MacEwan University says staff received a series of phishing emails over the summer that convinced them to change banking information for one of the school's major contractors. Staff then made three payments to a bank account belonging to the scammers, with a final transfer on Aug. 19 of $9.9 million.

    The fraud was only discovered when the actual vendor contacted the school looking for payment.

    “The university does not believe there has been any sort of collusion," MacEwan spokesperson David Beharry told reporters in a Thursday press conference. "We really believe this is simply a case of human error.”

    Global News / Via globalnews.ca

    According to Beharry, the transfers were made by low-level staff, and he said the university would change its process to require "secondary and tertiary" levels of approval in the future.

    The phishing attack targeted the university's payment department with "an email address that appeared to originate from the vendor" that led staff to "a domain site with the authentic logo and everything," he said.

    Law enforcement, working with bank investigators, have traced $11.4 million to accounts in Canada and Hong Kong, and managed to freeze those funds. Beharry said there was a good chance the school would recover that money, although it's unclear how quickly that might happen.

    According to The Griff, the school's student newspaper, MacEwan University ran a campus-wide phishing awareness campaign over the last year.

    Ishmael N. Daro is a reporter for BuzzFeed News and is based in Toronto. PGP fingerprint: 5A1D 9099 3497 DA4B

    Contact Ishmael N. Daro at ishmael.daro@buzzfeed.com.

    Got a confidential tip? Submit it here