A missing ‘L’ in an email address.
That was the key that allowed an alleged fraudster who ran a phishing scam against the Edmonton Economic Development Corporation (EEDC), to make away with $375,000.
“It was so simple and so tricky at the same time,” EEDC vice president of communications Terry Curtis said in an interview Friday.
A lawsuit filed by EEDC in Edmonton’s Court of Queen’s Bench provides some clarity about how the heist could have happened.
An amended statement of claim filed March 25 names a numbered company and its incorporator, Sithira Pranavan Arutjothy, as defendants.
CIBC and TD Bank are also named as defendants. EEDC obtained court orders for the banks to disclose information that allows the agency to trace the lost funds.
The allegations in the documents have not been proven in court.
EEDC is a publicly funded city agency with a variety of interests, including marketing and promotion, convention centre management, and business development.
One of its roles includes promoting tourism in Edmonton, in part through advertising at the Edmonton International Airport.
As such, a $375,000 invoice for tourism ads from the Edmonton Regional Airport Authority sent Oct. 31 last year was just part of the normal course of business, Curtis said.
But then the email arrived.
On Nov. 27, EEDC received an email from a familiar contact at the airport, advising that payments by cheque would no longer be accepted. The agency was directed to pay its invoice for the ads electronically, or by bank or wire transfer, according to court documents.
EEDC sent the payment electronically the same day.
Less than a month later, on Dec. 20, the agency received notice from CIBC that TD was attempting to confirm the legitimacy of the transaction because the beneficiary named in the transfer — the airport authority — did not match the bank’s account’s beneficiary, which was a numbered company. EEDC checked with the airport, and realized what had happened.
The only clue, and one that was missed by EEDC staff, was that an ‘L’ was missing in the impostor email suffix: it should have been “@flyeia.com,” but was instead “@fyeia.com.”
But how did the alleged thief know who to impersonate? And how did they know that the airport even sent EEDC an invoice, let alone the exact amount owing?
‘A really simple error’
Curtis said EEDC believes a hacker broke into the network and quietly observed email and direct messages for a while before choosing someone to impersonate.
“Being one letter off in an email address that is impersonating a known person that we speak to every day — day in, day out. It was just a really simple error,” Curtis said.
He said EEDC knows where all the money ended up.
“It was split up, it went in a number of directions. There are portions of it that are still in frozen accounts, some of it was converted into cash, and some of it is tied up in third-party transactions,” he said.
When the scam was discovered, Curtis said the whole organization was shocked.
Within a week, new financial controls and checks were in place. There’s now ongoing cyber security training for all staff with access to the EEDC network. Employees made simple security upgrades, including password resets and two-factor authentication.
Curtis said there’s also a strategy underway to increase digital security through real time monitoring of their network, keeping an eye out for vulnerabilities, technological upgrades, and the creation of response and recovery plans should another attack occur.
“We’re taking it very seriously, and aiming to be leading practices around cyber security,” Curtis said.
EEDC’s claim filed with the court seeks recovery of not only the funds that were lost, but also calls for Arutjothy and his company to pay an extra $250,000 in damages. A statement of defence has not yet been filed.
The alleged breach has also been reported to police.
Copyright Postmedia Network Inc., 2019