MacEwan University recovers $10.92 million
MacEwan University has announced that legal proceedings to recover funds lost in an August 2017 phishing attack are now concluded. The university recovered $10.92 million of the $11.8 million that was stolen.
MacEwan’s administration credits the recovery of such a large percentage of the funds—just over 92 per cent—to the swift response and diligent efforts of an internal team at the university, legal counsel in several jurisdictions, fraud units at the banks involved in the transactions and law enforcement agencies.
The university has put stronger financial controls in place to prevent further incidents and is implementing IT security awareness and training programs for its staff and faculty.
On Wednesday, August 23, 2017, MacEwan University was hit by an email phishing attack. A series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s vendors, Clark Builders.
The scam resulted in the transfer of $11.8 million to a bank account that staff believed belonged to Clark Builders. Immediately after the fraud was discovered, the university began working with legal counsel to pursue civil action to recover the money.
In December 2017—following an extensive, multifaceted audit of business processes—the university implemented strict financial controls and workflow processes to prevent incidents such as these from happening again. A number of permanent changes were made to the university’s control environment:
Employees are required to verify all changes to vendor master files by phone and a follow-up email confirmation. All changes are reviewed by the employee’s supervisor, manager or director before the changes take effect within the university’s financial system.
A supplier audit report system was implemented. This report shows all changes made to vendor information and is used by the supervisor, manager or director when reviewing and approving changes to vendor master files.
In addition, MacEwan is implementing mandatory training solutions to improve its employees’ understanding of social engineering attacks, phishing and other online scams. The university will also continue its IT security awareness campaign.