skip to content
Contact
Click to open search Open mobile navigation menu Close mobile navigation menu
Home

A Canadian city falls victim to $558K spear phishing scam

gavel icon

Introduction to the case

Fraudsters hack a not-for-profit to solicit funds from a municipal government

The municipal government of a Canadian city was scammed out of more than half a million dollars after a phishing email tricked a staff member into changing banking information to redirect funds into the fraudsters’ account. 

The fraudsters had hacked the email account of a not-for-profit organization (NPO) that received funding from the city. They also forged bank letters and used a fake domain name to mislead city staff. 

Luckily, this phishing scam has a happy ending.

hand holding money icon

Details of the fraud

The fraud attack, which took place in March and April 2022, is a clear example of spear phishing, where fraudsters send emails from a trusted sender they impersonate to trick targeted individuals into revealing confidential information or taking specific action.

Sometime in March 2022, fraudsters hacked the email account of the NPO’s executive director.
Once the hackers gained access to the executive director’s email account, they impersonated him in an email to the city’s funding coordinator and advised that there was an update to the NPO’s account information.
The fraudsters managed to convince the city to change the NPO’s account information to a fraudulent one that they controlled.
On April 1, the city transferred a payment of $558,233 intended for the NPO into the fraudsters’ bank account.
The fraudsters impersonated the executive director on two more occasions, on April 11 and 14, each time asking the city to deposit another payment into the fraudulent account. But by that time, city officials realized something was amiss.

person in magnifying glass icon

How did the fraudsters commit the crime?

The fraudsters used several tactics to make their outreach appear legitimate: 

  • They registered a fake domain that was very similar to the NPO’s official domain.
  • The email sent to the city’s funding coordinator copied two other high-ranking executives at the NPO. Both email addresses used the fake domain and looked very “official”.
  • The fraudulent email also included an attachment with a fake letterhead made to look like a letter from the NPO’s bank and signed by the head of treasury management services.

After sending several follow-up emails from (purportedly) the NPO’s executive director, the fraudsters convinced the city to change the banking information it had on file for the NPO and electronically wire half a million dollars to the fraudulent bank account. The city executed the transaction believing it was transferring funds to the NPO’s legitimate bank account.

legal icon

What was the outcome?

The city noticed irregularities in its payments to the NPO on April 11 and took immediate action. It notified the police about the fraud incident and directed its bank to cancel the transfer. The bank quickly placed a hold on the receiving account, but the transaction had already been completed. The city also launched an internal investigation and notified city council of the breach.

To recover the funds, the city filed a court claim naming several Canadian banks as defendants. An emergency motion led to a court order requiring the banks to trace the funds and put a temporary freeze on any accounts where the money was deposited. By April 22, the city had recovered more than 90% of the funds and subsequently recovered the entire amount.

To expedite the recovery process, the city hired outside legal counsel for support.

security alert icon

How could this have been prevented?

Luckily, this phishing incident ended favourably for the fraud victim, but not all fraud cases end with the funds being recovered. Public institutions and private businesses can learn helpful fraud prevention tips from this case: 

Man looking at laptop in an office, with large windows behind him
  1. Verify the legitimacy of emails or requests that ask for urgent actions, payments, or account changes.
  2. Avoid using your official work email account to sign up for third-party software, services, or applications that are not work-related.
  3. Always double-check website and email domains before responding or providing sensitive information. Fraudsters try to trick victims by using similar or looking like domains or emails.
  4. Never open attachments from unknown senders.
  5. Educate your employees to recognize and avoid phishing attempts.
    • Conduct regular training and tabletop exercises that simulate phishing attacks to ensure staff know how to respond appropriately.
    • Develop and enforce a process for addressing changes requested for vendor bank accounts and payment details.
    • Install email security software and monitor sensitive accounts on a regular basis to detect phishing attacks in their early stages.

How can BDO help

BDO can help the public and private sector detect, prevent, and mitigate email phishing scams and other types of fraud by providing attack simulation training and implementing cybersecurity controls to help identify and monitor any suspicious activities early on.

We offer digital forensics and end-to-end eDiscovery services covering all phases of fraud investigation. Our experienced teams can preserve and analyze email communications to reconstruct the timeline of attack, conduct a thorough probe to understand how the fraudsters gained access, and develop strategies to prevent email fraud in the future.

Reach out to improve your fraud resilience:

Alan Mak
Partner and National Leader, Forensic Disputes & Investigations
416-941-6387

LinkedIn
View bio
Chetan Sehgal
Partner, Advisory
416-775-7812

LinkedIn
View bio
Suzanne Schulz
Partner, Forensic Disputes & Investigations
403-213-5423

LinkedIn
View bio
Rocco Galletto
Partner, National Cybersecurity Leader
289-266-1403

LinkedIn
View bio
Ziad Akkaoui
National Practice Leader, Risk Advisory
416-865-0111

LinkedIn
View bio

More Fraud Deconstructed

Want to gain deeper insights into effective strategies for fraud prevention and detection? Explore more Fraud Deconstructed case studies.

Case study
Fraud Deconstructed: Manipulating expenses to achieve promised profits
June 04, 2024
How did expense manipulation to inflate profits lead to massive fines for a large food and beverage company?
Read more
Infographic
Fraud Deconstructed: Lessons learned from the Theranos fraud scandal
June 04, 2024
Former tech unicorn Theranos rose to a valuation of $9 billion. We explore the factors behind the company's downfall.
Read more
Case study
Fraud Deconstructed: Lessons in due diligence at JP Morgan
June 04, 2024
We analyze the importance of investor due diligence for risk mitigation.
Read more
Case study
Fraud Deconstructed: Learn anti-money laundering strategies to better avoid fina...
June 04, 2024
How can your business avoid involvement in money laundering? Learn the red flags as we explore a financial fraud scheme.
Read more
Case study
Fraud Deconstructed: How an executive assistant embezzled a whopping $22 million
June 04, 2024
A former employee embezzled $22 million from her employer. Could this have been avoided? Our case study deconstructs the fraud details and shares stra...
Read more
Case study
Fraud Deconstructed: How a key provincial program became a target of employee fr...
June 04, 2024
We explore an occupational fraud scheme targeting an Ontario COVID-19 aid program and share fraud mitigation strategies.
Read more
Infographic
Fraud Deconstructed: How a former Netflix VP orchestrated a brazen pay-to-play f...
June 04, 2024
A case study breaking down a pay-to-play fraud scheme at Netflix to help you prevent procurement fraud in your business.
Read more
Case study
Fraud Deconstructed: Exposing a fraud ring that stole millions in pandemic relie...
June 04, 2024
Learn how scammers defrauded loan programs under the U.S. CARES Act and ways the fraud could have been prevented.
Read more
Case study
Fraud Deconstructed: Eight fraudsters charged for alleged securities fraud
June 04, 2024
How can you avoid securities fraud? Our case study breaks down a pump-and-dump scam to help you watch for red flags.
Read more
Case study
Fraud Deconstructed: A Canadian city falls victim to $558K spear phishing scam
June 04, 2024
How did a Canadian city fall victim to a spear phishing scam?
Read more
Case study
Fraud Deconstructed: Cryptocurrency execs charged for $2.4 billion Ponzi scheme
June 03, 2024
How can investors avoid crypto scams? Recognize the red flags as we break down a massive cryptocurrency Ponzi scheme.
Read more
Case study
Fraud Deconstructed: Crypto giant hit with criminal charges and SEC penalties
June 03, 2024
Fraud deconstructed: Crypto giant faces criminal charges and massive penalties
Read more
Case study
Fraud Deconstructed: Breaking down bank fraud at Transmar
June 03, 2024
How did three executives commit millions in bank fraud? Learn case details and fraud prevention tips in our case study.
Read more

This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our privacy statement for more information on the cookies we use and how to delete or block them.

Accept and close