August 16th, 2019
BURLINGTON, ON
It’s old news to Burlington – we got hit for just half a million. The City of Saskatoon says it has lost $1 million in an online scam.
An avid Gazette reader brought this one to our attention
Saskatoon City manager Jeff Jorgenson says a fraudster electronically impersonated the chief financial officer of a construction company that has a contract with the city.
He says the culprit asked to have a payment sent to a new bank account and the city complied.
It has hired experts to try to recover the money.
Burlington might want to get the name of that expert.
Saskatoon is reviewing its financial controls to make sure it is secure from future attacks.
“The fraudsters are becoming more and more sophisticated, and our controls and systems have to become more and more sophisticated as well.”
Saskatoon’s Mayor decided to go public with the fraud to be up front with taxpayers and warn others so it doesn’t happen to them.
Two years ago, MacEwan University in Edmonton reported that it had been defrauded of $11.8 million when three staff members were fooled into changing the electronic banking information of a construction company.
Having loosey goosey security procedures in place didn’t keep us off the Macleans magazine Best Place to Live list.
Hans, Generally you are right. But in this type of fraud where the fraudsters are impersonating a trusted outside source (client or supplier) even if the individual had checked with a more senior official, even with the mayor, that would have had no beneficial affect. To be an affective precaution the individual or a senior manager must be sure to call the supposed source of the emailed instruction to use a different destination account so as to gain direct verbal confirmation of the change in transfer instruction.
Any payment over a few thousand $ should require verification plus approval from a senior official; the greater the amount, the higher level of authority required. For a million $, the City Manager should surely have to approve it
And don’t municipalities share their experiences? If they haven’t created a “sharing best practices” newsletter yet, it’s time to do it.
In order to obtain insurance for this specific type of electronic fraud, known in the insurance industry as “social engineering fraud”, insurers generally require a very basic, some risk management protocols to be followed. It requires the person receiving the instruction to send funds to a different account from the one previously agreed upon to make direct verbal contact with the individual who purportedly sent the instruction and obtain that person’s confirmation and verification of those instructions.
You might also want to consider that if the fraudsters had successfully hacked the email account of the sender and actually sent an instruction from that account, then the sender might have some liability for the loss.