Don't get caught the way the city did: an email cost the city half a million.

Crime 100By Staff

June 27th, 2019



You Have One Security Message From RBC Online Services Center said the email headline.

The message said:

You will need to download the attached document file to proceed with the review process.

Your attachments are saved to your computer in the default download location set by your browser. Open the file and follow the instructions to complete your renewal.

Thank you for your business and we welcome any feedback or questions you may have.
Best wishes,
Patrick Smith, Business Security Operator

There are thousands of people out there sending these phony message – we don’t deal with the Royal Bank so we knew it was a scam.  But for those who do deal with the Royal – how do they know the message is phony?

Look very carefully at who the message was sent from:

RBC scam attempt

That is not the Royal Bank.

Related news story:

City gets hit with a $500,000 + computer scam.

Return to the Front page
Print Friendly, PDF & Email

4 comments to Don’t get caught the way the city did: an email cost the city half a million.

  • david barker

    Penny. Don’t be too harsh. This type of fraud is perpetrated on major corporations that keenly follow risk management protocols. As always it comes down to human error. And by error I mean it is often the desire of the employee to be seen to be providing excellent service and being effeceint at their job. That’s why the fraudster’s target Friday afternoons and lunchtimes to initiate the fraud, because even if the “in person double check” protocol is in place but the contact is unavailable (at lunch or left for the weekend) the employee want to be seen in a good light so very often the employee executes the instruction. I have seen this happen time and time again both at small corporations and at national and international ones.

  • Penny Hersh

    David, thank you for the explanation, if indeed this is what happened. I for one would have called the company to make certain they had indeed changed their banking procedure. I would also think that when there is a change in transfer procedures that the company would have informed the city in advance.

    What this shows me is that there are no checks and balances in place at city hall. A simple phone call could have avoided this.

  • david barker

    Staff & Penny. Are you both sure you have all the facts? I believe the scam you are describing is not the one that the City Staff member fell for. The scam you describe in your article is a very basic and unsophisticated. My understanding is that the City staff member fell for what us quite a sophisticated fraud commonly referred to as “social engineering fraud” (SEF). In an SEF fraud the fraudster targets a person within an organization whose duties include carrying out instructions from a trusted source to transfer funds from one account to another. The recipient account has been designated in the advance by the trusted source. The fraudster spend considerable time monitoring the email traffic of it’s target, noting what security features must be built into an instruction to move funds. Then the fraudster sends an email to the target, which to all intents and purposes looks to the victim that it has been sent by the trusted source. The email address in sender’s box appears to be that of the trusted source, but if one runs the mouse over it, the metadata shows something else. The email instructs the victim to move money but instead of from A to B to move it from A to C (the fraudster’s account). The email has all the correct security features, so the victim makes the transfer. These frauds most often take place at lunch times or on Fridays. Insurance companies do provide coverage for this type of fraud but for coverage to apply will likely require the staff member (victim) or the organization to, in advance of making the transfer, verify the instructions to be valid by way of contacting the trusted source by phone and receiving a verbal confirmation.

    SEF is now very common and many people that you would suspect would never fall foul of.such a trick have indeed been hoodwinked.

  • Penny Hersh

    No bank ever sends emails like this. How many times have the Police told residents not to open these type of emails? It is shocking that an employee for the City of Burlington fell for this. Perhaps city staff need to attend an all day seminar on how to avoid being scammed? I hope the employee responsible for this is suitably embarrassed and perhaps moved to another department. This money is gone – there is no way to recoup it.