A university in Canada is the victim of what is being described as one of the biggest known phishing scams ever. MacEwan University in Edmonton discovered the fraud on Aug. 23, when a construction company it works with asked why it had yet to be paid. But the school had made payments to what it thought was the company: $1.9 million on Aug. 10, $22,000 on Aug. 17, and $9.9 million on Aug. 19—a total of $11.8 million to a fraudulent account, with the money eventually being traced to Canada and Hong Kong, reports the CBC. The school has launched a full investigation, but has preliminarily pegged the scam to a series of emails and a website that used the vendor's authentic logo and claimed the vendor had a new bank account. For now, the school says it is down to "human error," where lower-level staffers failed to verify the bank account change was legitimate, so the transfers went to the phony vendor.
Canada's advanced education minister issued a statement expressing his disappointment. "This is unacceptable," he says. "I expect post-secondary institutions to do better to protect public dollars against fraud." The loss is 10% of the university's entire annual operating grant from the Alberta government, reports the Edmonton Journal, with a $118 million grant provided in 2015 for the school's $237.1 million budget. One expert calls it the "single largest publicly disclosed amount I've seen" lost to a phishing scam, while noting that private companies may have fallen victim to similar scams but have not been required to disclose the amount lost. MacEwan says its computer systems have not been compromised, per the Toronto Star, and that it expects to recoup the $11.4 million it's managed to trace, though $400,000 remains missing. (Even bank CEOs have been fooled by phishing scams.)