Introduction to the case
Fraudsters hack a not-for-profit to solicit funds from a municipal government
The municipal government of a Canadian city was scammed out of more than half a million dollars after a phishing email tricked a staff member into changing banking information to redirect funds into the fraudsters’ account.
The fraudsters had hacked the email account of a not-for-profit organization (NPO) that received funding from the city. They also forged bank letters and used a fake domain name to mislead city staff.
Luckily, this phishing scam has a happy ending.
Details of the fraud
The fraud attack, which took place in March and April 2022, is a clear example of spear phishing, where fraudsters send emails from a trusted sender they impersonate to trick targeted individuals into revealing confidential information or taking specific action.
Sometime in March 2022, fraudsters hacked the email account of the NPO’s executive director.
Once the hackers gained access to the executive director’s email account, they impersonated him in an email to the city’s funding coordinator and advised that there was an update to the NPO’s account information.
The fraudsters managed to convince the city to change the NPO’s account information to a fraudulent one that they controlled.
On April 1, the city transferred a payment of $558,233 intended for the NPO into the fraudsters’ bank account.
The fraudsters impersonated the executive director on two more occasions, on April 11 and 14, each time asking the city to deposit another payment into the fraudulent account. But by that time, city officials realized something was amiss.
How did the fraudsters commit the crime?
The fraudsters used several tactics to make their outreach appear legitimate:
- They registered a fake domain that was very similar to the NPO’s official domain.
- The email sent to the city’s funding coordinator copied two other high-ranking executives at the NPO. Both email addresses used the fake domain and looked very “official”.
- The fraudulent email also included an attachment with a fake letterhead made to look like a letter from the NPO’s bank and signed by the head of treasury management services.
After sending several follow-up emails from (purportedly) the NPO’s executive director, the fraudsters convinced the city to change the banking information it had on file for the NPO and electronically wire half a million dollars to the fraudulent bank account. The city executed the transaction believing it was transferring funds to the NPO’s legitimate bank account.
What was the outcome?
The city noticed irregularities in its payments to the NPO on April 11 and took immediate action. It notified the police about the fraud incident and directed its bank to cancel the transfer. The bank quickly placed a hold on the receiving account, but the transaction had already been completed. The city also launched an internal investigation and notified city council of the breach.
To recover the funds, the city filed a court claim naming several Canadian banks as defendants. An emergency motion led to a court order requiring the banks to trace the funds and put a temporary freeze on any accounts where the money was deposited. By April 22, the city had recovered more than 90% of the funds and subsequently recovered the entire amount.
To expedite the recovery process, the city hired outside legal counsel for support.
How could this have been prevented?
Luckily, this phishing incident ended favourably for the fraud victim, but not all fraud cases end with the funds being recovered. Public institutions and private businesses can learn helpful fraud prevention tips from this case:
- Verify the legitimacy of emails or requests that ask for urgent actions, payments, or account changes.
- Avoid using your official work email account to sign up for third-party software, services, or applications that are not work-related.
- Always double-check website and email domains before responding or providing sensitive information. Fraudsters try to trick victims by using similar or looking like domains or emails.
- Never open attachments from unknown senders.
- Educate your employees to recognize and avoid phishing attempts.
- Conduct regular training and tabletop exercises that simulate phishing attacks to ensure staff know how to respond appropriately.
- Develop and enforce a process for addressing changes requested for vendor bank accounts and payment details.
- Install email security software and monitor sensitive accounts on a regular basis to detect phishing attacks in their early stages.
How BDO can help
BDO can help the public and private sector detect, prevent, and mitigate email phishing scams and other types of fraud by providing attack simulation training and implementing cybersecurity controls to help identify and monitor any suspicious activities early on.
We offer digital forensics and end-to-end eDiscovery services covering all phases of fraud investigation. Our experienced teams can preserve and analyze email communications to reconstruct the timeline of attack, conduct a thorough probe to understand how the fraudsters gained access, and develop strategies to prevent email fraud in the future.
Reach out to improve your fraud resilience: