Court documents outline the series of alleged incidents that ended in the Edmonton Economic Development Corporation with a $ 375,000 cyber scam at the end of 2018.
‘L’ is missing in an email address.
That was the key that allowed an alleged fraudster who was running phishing fraud against Edmonton Economic Development Corporation (EEDC), making up $ 375,000.
“It was as simple and difficult at the same time,” said EEDC's vice-president Terry Curtis, in an interview on Friday.
A greeting filed by EEDC at the Queen's Bench Court in Edmonton gives some clarity about how the heist might have happened.
A revised claim statement filed 25 March naming a company with a number of incumbent, Sithira Pranavan Arutjothy, as defendants.
CIBC and TD Bank are also named as defendants. EEDC received court orders for the banks to disclose information that allowed the agency to trace the money lost.
The claims in the documents have not been proved in court.
EEDC is a publicly funded city agency with a range of interests, including marketing and promotion, convention center management, and business development.
One of her roles includes promoting tourism in Edmonton, partly through advertising at Edmonton International Airport.
As a result, an invoice of € 375,000 for tourism advertisements from the Edmonton Regional Airport Authority sent October 31 last year was only part of normal business, Curtis said.
But then the email arrived.
On 27 November, EEDC received an email from a familiar contact at the airport, advising that check payments would no longer be accepted. The agency was instructed to pay its invoice for the advertisements electronically, or by bank or wire transfer, according to court documents.
EEDC sent the payment electronically the same day.
Less than a month later, on December 20, the agency received a warning from CIBC that TD was trying to confirm the validity of the transaction because the beneficiary named in the transfer – the authority of the airport – did not correspond to the bank account beneficiary, namely a company. with a number. EEDC checked with the airport, and realized what had happened.
The only clue, and one lost by EEDC staff, was that 'L' was missing in the impostor email suffix: it should have been “@ flyeia.com,” but for “@ Fyeia.com. ”
But how did the alleged thief know to whom to imitate? And how did they know that the airport even sent an invoice to EEDC, let alone the exact amount owed?
Error Very simple error '
Curtis said that EEDC believed that a hacker had broken into the network and had seen emails and directed quietly for a while before selecting someone to imitate.
“Being one letter away in an email address that mimics a known person we talk to every day from day to day. It was just a very simple error, ”said Curtis.
He said that EEDC knew where all the money came to an end.
“It was shared, went to a number of directions. There are pieces of it that are still in accounts frozen, some of it was converted into cash, and some of it has been tied in third party transactions, ”he said.
When the scam was discovered, Curtis said the whole organization was surprised.
Within a week, new financial controls and checks were in place. Ongoing cyber security training is now available to all staff who have access to the EEDC network. Employees made simple security upgrades, including resetting password and validating two factors.
Curtis said that there was also a strategy in place to increase digital security by monitoring their network in real time, keeping track of weaknesses, technological upgrades, and creating response and recovery plans if another attack occurred.
“We take it seriously, and aim to be a leading cyber security practice,” said Curtis.
The EEDC claim that has been filed with the court seeks recovery not only the money lost, but also calls on Arutjothy and his company to pay an additional $ 250,000 in compensation. Protection statement has not yet been filed.
The police have also been informed of the alleged breach.