Last week the story broke of an unfortunate example of how a Canadian University was impacted by phishing attacks. They lost $9.5M in the process. This was an example of a targeted phishing attack because the attackers emailed invoices from an address that appeared to be from one of the school’s actual vendors, Clark Builders, a company doing work on a large construction project for the university.
The attackers sent three separate invoices, and the university disbursed funds in three separate wire transfers. The university only learned of the fraud when the actual vendor contacted them asking about payment. The school had transferred CA$11.8 million (which translates approximately to the US$9.5M mentioned above).
The large amount of funds defrauded is a good example of why universities are among top targets of these kinds of attacks–they have a lot of cash ready to be paid out for big projects, such as the construction project in this example. Because of their high visibility, universities are easily sought and found targets. Additionally, negative publicity such as in the case of a story like this can have significant impacts on a university’s ability to achieve its strategic objectives–for instance fundraising for future projects and investment.
The university said that they’re going to add processes for disbursement approval, an indication that they’ve assessed their processes as being a component of the reason that this happened. Of course reviewing the defensive capabilities of their people and technologies would also be advisable. People should be trained and made aware of the risks as well as procedures for appropriate and timely responses to the threats. Technologies such as gateway filtering may be relevant in this instance; however, from the preliminary information there are no indications of technology failures.
For an organization like a university, good procedures addressing the negative publicity immediately would also be advisable.