Five internal controls to prevent a MacEwan phishing fraud
These basic internal accounting controls could have easily stopped a $12m fraud says CPA professor
TORONTO – When MacEwan University, Edmonton’s second-largest university, was recently defrauded for almost $12 million, the news was reported as a sophisticated phishing attack. Nothing could be further from the truth, says Chartered Professional Accountant Karim Jamal, who calls the fraud a breakdown of very basic internal controls.
Professor Jamal, FCPA, FCA, is the chair of the department of accounting, operations and information systems at the University of Alberta. He says the scam, which occurred when university staff were convinced to change electronic banking information by a series of fake emails, could have been prevented by following five simple steps:
1. Agree upon an authorized contact person at the vendor.
MacEwan University owed Edmonton-based Clark Builders almost $12 million to complete construction on a new, $181-million building called Allard Hall. Clark Builders had been a MacEwan vendor since 2003 and was owed a $9-million final payment. Yet no one contacted Clark when the phishing emails were received.
“Someone at Clark Builders should have been designated contact person,” says Jamal. “A CFO or controller who is authorized to initiate changes to the terms of the contract. This high-level person’s signature, email, phone number, and address should all be on file, and only this person can authorize changes — setting up accounts, changes in billing, payments and invoicing.”
2. Verify all contract changes by phone, never email.
As reported by the Edmonton Journal, three MacEwan staffers made three payments to the bogus account over a nine-day period in August with the university paying out $1.9 million, $22,000, and finally $9.9 million.
“That conversation cannot be done just by email,” says Jamal. “Because you don’t know who’s on the other side in this world. It could be anyone, anywhere. You must call your contact, especially for something unusual like a bank account change.” Professor Jamal notes that a banking change is “infrequent and hugely consequential.” It should have been verified with a phone call to an authorized contact.
3. Send a change form to your contact person.
In 2016, the University of Lethbridge in Alberta reported that it lost about $368,000 in a similar scam. Both cases could have been avoided had the institutions sent a simple change form to an authorized contact and asked for it to be filled out and signed. “You would have all the details on file, including a signature, which could have been verified,” says Jamal.
4. Implement different payment systems.
Basic controls would include two or three different payment systems with authorizations driven by materiality says Jamal. Low-level transactions can be processed by managerial staff but the higher the payment, the higher in position is the authorizer, with a two or three-step approval process for the large transactions.
“MacEwan says junior-level staff got fooled,” according to Jamal, “but they had no business processing the payment. It’s a managerial failure, it’s not a failure of the low-level staff.”
5. Send a confirmation notice to the vendor following every payment.
The MacEwan scam was uncovered when Clark Builders failed to receive its payments. The company found that odd and called the university. But Professor Jamal points out that the fraud would have been caught earlier if a simple notice of payment had been automatically emailed to the contact person when the invoices were processed.
Jamal says phishing attacks are the simplest of cybercrime. The fraud could have been perpetrated easily by fraudsters visiting construction sites and noting the companies and their clients. In this case, the criminals created a copycat Clark Builders website and then went on a phishing expedition, probably baiting more than one procurer.
Nevertheless, five simple best practices for Chartered Professional Accountants would have saved the day. “It’s very basic,” says Jamal, incredulously. “If I assigned this to my class, most of them would guess at least some of this stuff. The people at the senior level in MacEwan were not paying attention and their internal controls were very lax.
“The CFO should really be asked, ‘What kind of shop are you running?’ If I was him, I’d be a little bit nervous.”
Colin Ellis is the editor-in-chief of Canadian Accountant.