Edmonton Economic Development hires Deloitte to investigate phishing attack
On Wednesday, the Edmonton Economic Development Corporation (EEDC) said it has been defrauded of $375,000 by as-yet-unknown entities. The agency has brought in Deloitte to provide investigation services.
“We are working with authorities and legal counsel to determine if the funds can be recovered,” the EEDC said in a statement.
The municipal agency receives money from various sources to spur Edmonton’s economy. A common task at the EEDC is collecting money from entities like the federal and municipal governments, then funneling it to particular projects, making it a juicy target for fraudsters.
“We were notified by our bank in late 2018 that there were irregularities in a transaction and at the beginning of January, we confirmed that there was fraudulent activity and we commenced an investigation,” Terry Curtis, EEDC vice president of corporate relations, said in an interview with Global News. “I can’t give a lot of information on the phishing scheme itself because there is an ongoing investigation with the authorities as well as some third parties that we’ve invited to do some cybersecurity investigations for us.”
In addition to a cybersecurity investigation, Deloitte will also provide the EEDC recommendations for preventative measures. This sort of project is likely to be handled primarily by the firm’s forensics practice, under its Financial Crime Advisory service line. Within, Deloitte helps clients address the entire financial crime lifecycle, including compliance, prevention, detection, investigation, remediation, testing, and monitoring, drawing on experts from multiple practices (such as tech and cybersecurity).
EEDC will also work with auditor Grant Thornton to dig into the details of the particular transaction to ensure it was a solitary occurrence. Curtis said the EEDC will also educate and retrain its employees to be more cyber-savvy.
The details of the phishing scam are as yet under a veil of secrecy because of the ongoing police investigation. The agency did not divulge which individual or company was impersonated by the unidentified digital fraudsters. The EEDC has, however, put in place new log-in verifications for employees who use the agency’s online systems.
"We understand the nature of the attack; we don't know where the bad actor is, who the bad actor is, how it transpired," Curtis told the CBC.
Edmonton Mayor Don Iveson, meanwhile, was understandably perturbed by the financial loss, calling the situation "very concerning."
"Those are public dollars in the hands of EEDC to achieve economic goals," Iveson told the CBC. "EEDC is not unique, but clearly this will need to be investigated."
As organizations and payments march towards full digitalization, the threat of cyber fraud swells - especially for those sending out large sums of money. A lack top-notch processes or properly trained staff magnifies the risk.
In 2017, MacEwan University in Edmonton was defrauded of $11.8 million after staff failed to make a verification call to a vendor after receiving fraudulent emails requesting a change in banking information. As such, the university mistakenly paid out the amount to the fraudulent account. Most of the money was recovered after being traced to accounts in Hong Kong and Montreal.