On August 23, 2017, MacEwan University determined it was the victim of a spear phishing attack after discovering $11.8 million intended for one of the university’s major vendors was transferred to a bank account controlled by criminals.
SFU IT Services and Financial Services have been closely monitoring the situation. This notice is intended to raise awareness of this risk, tell you what we’re doing to protect SFU, and let you know how you can help.
What happened at MacEwan University?
A series of fraudulent emails convinced MacEwan University staff to change electronic banking information for one of the university’s major vendors, resulting in $11.8 million being transferred to criminals. After the fraud was discovered, MacEwan University immediately conducted an interim audit of business processes, and controls were put in place to prevent further incidents.
The Edmonton Police Service and law-enforcement agencies in Montreal and Hong Kong are actively working to resolve the criminal aspects of the case.
What is a spear phishing attack?
Spear phishing is a targeted form of phishing in which fraudulent emails are sent to specific individuals in an effort to gain access to confidential information. Tactics include impersonation of a trustworthy entity and use of urgent language when requesting sensitive information or actions. The objective of spear phishing and phishing are ultimately the same—to trick people into revealing confidential information.
Does SFU have controls to protect against this type of attack?
Everyone, in their work and personal lives, has a risk of exposure to spear phishing attacks. Being cognizant of the risks associated with electronic transmission of funds to vendors, SFU Financial Services previously established prevention procedures which include highly restrictive access to change vendor banking information and independent confirmation procedures to authenticate requests. Subsequent to the MacEwan University fraud, SFU Financial Services has reviewed these procedures and is satisfied the current procedures provide for effective prevention.
What else is SFU doing to mitigate the risk of an attack?
Spear phishing attacks such as the one at MacEwan University serve as a reminder to everyone in the university community of the importance of data and system security.
IT staff at SFU are working together to educate faculty and staff about information security including how to identify a phishing attack.
What can you do?
When it comes to security, you are the first line of defense. You can help by:
- Keeping virus detection and system software up-to-date;
- Safeguarding your SFU Computing ID and password;
- Being wary of links and attachments in emails;
- Watching out for spear phishing and similar attacks;
- Checking source and destination email addresses before replying;
- Following established business procedures carefully;
- Reporting phishing emails using the Report Phishing button in SFU Connect; and
- Backing up your data safely.
Important: Departments within SFU, including IT Services and Financial Services, will never ask for passwords by email or telephone.