Last week MacEwan University in Edmonton, Alberta, Canada confirmed that it lost US $9.5 million after falling victim to a email phishing scam.
It released a statement on Thursday, explaining that that a ‘series of fraudulent emails convinced staff to change electronic banking information for one of the institution’s major vendors’. $9.5 million was then transferred to an account that staff believed belonged to the vendor.
“These funds have been frozen and the university is working with legal counsel in Montreal, London and Hong Kong to pursue civil action to recover the money,” the university said in a statement. “The status of the balance of the funds is unknown at this time.”
Experts revealed that that the incident highlights the threats posed by phishing scams.
“One thing has always been the same in phishing attacks: social engineering, i.e., luring people into clicking on a link and providing information so it can be captured and sent off to a drop zone,” explained William MacArthur, threat researcher at digital threat management firm RiskIQ, via email. “Phishing actors adjust the same way a security analyst would so it’s like a constant game of chess, except they have more pieces and [are] always on the offensive.”
The spread of phishing has spread beyond the inbox to mobile apps, social media and instant messaging platforms, according to MacArthur, making it an even more dangerous phenomenon.
What stands out, however, is the continued exposure to these attacks, in this case via email. It is fundamental that all those with access to an organisations computer, whether it be a university or hospital, have adequate – even basic – security training to avoid these costly scenarios.
Agari works closely with education organisations around the world, and recognises the threat phishing attacks pose to universities.
John Wilson, Field CTO at Agari, comments: “MacEwan University is only the latest in a long line of universities falling victim to phishing attacks, but is notable for the eye-watering $9.5m that was stolen.”
“Universities are a favourite target of deceptive email attacks thanks in part to their complex networks of suppliers and partners. While there should be policies in place to verify payments, it is unfair to blame staff or expect them to spot these deceptive emails, as a well-researched fake can appear identical to genuine emails.”
“Instead, MacEwan and all other institutions should focus their efforts on ensuring that these emails never reach their staff in the first place. However, the traditional signature-based email security measures still relied on by most organisations can do little to stop targeted phishing attacks, as there are no malicious attachments or keywords for scanners to detect.”
“In order to counter these more sophisticated attacks, organisations should use identity-based security measures that are able to determine that an email has really come from a trusted source. If details don’t match up, the email can be quarantined and analysed for signs it’s a malicious attack”