Even the most savvy can find themselves duped. High-level executives and public officials have found themselves targeted by cybercriminals. The attackers can take multiple months or longer harvesting information about their target in order to launch an attack that doesn't raise any suspicion. The results can be crushing—both financially and personally. The sums lost can be enormous—often 6-plus figures. However, equally important are the emotional and otherwise personal damages. Discovering that you have been tricked into doing something foolish can be personally humiliating and reputationally harmful. Imagine that you are at the pinnacle of your career, highly respected by your peers, and well known in your community because of your senior public-facing position. Then one day you find out that not only have you sent an enormous sum to a fraudster, but you were also on the verge of sending a second enormous sum to the same dirty trickster. Let us tell you about the terrible, no good, very bad day of a senior executive with the City of Ottawa.
Marion Simulik, City Treasurer for the City of Ottawa had the terrible misfortune of being targeted and tricked into sending more than $100,000 to a fraudster in the United States. More specifically, she sent US $97,797.20, which is roughly the equivalent of CAD $130,000 funds to an American cybercriminal. She did so at the request of the city manager who requested that she pay a supplier. Simulik reached out to a supplier to verify the details and over the course of a few hours they emailed back and forth. Simulik then sent what she thought was a legitimate bill at the request of her boss. Revelling in their success, the cyber bad guy reached out to Simulik a second time a few days later, pretending once again to be the city manager and requested that she pay an additional $150,000 to the same supplier. Thankfully, the second request came at a time when Simulik was with the city manager and she asked him about the payment. Once they realized the email was a phishing email (also called a whaling email when the targets are CEO or senior level public servants) the Ottawa police were contacted.
In a fortunate turn of events, the fraudsters transferred the original payment from one US account to a second US account and the second account was being watched by the US secret service. Within a month, the US authorities reached out to the City of Ottawa to inform them that they were victims of cybercrime (which they already knew). Given that the second account was being monitored, there is a good chance that the City of Ottawa will get some of their money back.
By all accounts, Simulik is a responsible and well-respected steward of finances for the City of Ottawa and was terribly embarrassed by the incident. She gave a statement to city council in which she said: "That I should be the target and victim of this sophisticated attack has affected me deeply both professionally and personally." Indeed, she was an unwitting victim targeted by cybercriminals in a sophisticated plan and if it could happen to her, it could happen to anyone.
That I should be the target and victim of this sophisticated attack has affected me deeply both professionally and personally.
The City of Ottawa, once becoming aware of how sophisticated and insidious these attacks can be, took steps to protect themselves from future cyber scams. Steps taken to avoid such phishing scams include:
If you're interested in reading more about the City of Ottawa phishing attack, CBC and The Ottawa Citizen covered the story.
The best defence against phishing attacks is ongoing education through security awareness training. To book a cybersecurity session for your team, get in touch with CITI.