Don’t blame your employees when you’re phished in

Don’t blame your employees when you’re phished in: the shame of MacEwan University.

MacEwan University Phished In

At the end of August, MacEwan University announced it had been phished in to the tune of $11.8 million. Scammers tricked the University into changing the payments for a construction vendor into bank accounts in Montreal and Hong Kong.

A spokesperson for the University blamed “low-level” employees for being fooled by the scammers.

Shame on MacEwan University

Really? Blame “low-level” employees? It’s the responsibility of the managers (or business owners) to educate themselves and their employees about phishing scams.

It’s the responsibility of the managers (or business owners) to create strong financial policies and procedures that prevent such fraud.

Shame on MacEwan University for blaming their employees.

What was the hook?

Apparently the university received emails purporting to be from their construction vendor. The phishers crafted emails that used the official logo of the vendor (simple cut and paste) and from a similar domain name (example joesconstruction101.ca versus joesconstructionca).

Why didn’t someone call the vendor directly about the change?

Fallout

The Advanced Education Minister for Alberta, Marlin Schmidt, said it was unacceptable the university fell victim to this scam.

“While I’m told that MacEwan has put improved internal financial controls to help prevent it from happening again, I expect post-secondary institutions to do better to protect public dollars against fraud,” Schmidt said in a statement.

“That’s why I’ve instructed all board chairs to review their current financial controls.”

That’s right. It’s not the employees’ fault. It’s the managers and the board that is responsible, be it a public institution or a business.

September 21 MacEwan University announced their Vice President of Finance, Brent Quinton, “has left his position to pursue other opportunities”. Hopefully these other opportunities mean more supervision and fewer responsibilities.

How to avoid the hook

I did a little video on small business phishing some months back.