Fraudsters almost swindled the Royal Canadian Mint with payroll 'spoofing' scam - Action News
Home WebMail Friday, November 22, 2024, 09:39 AM | Calgary | -11.8°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Politics

Fraudsters almost swindled the Royal Canadian Mint with payroll 'spoofing' scam

The Royal Canadian Mint fell for whats known as a spear phishing scam and almost forked a former employees pay cheque over to a malicious actor. The details of the breach were included in a recently obtained access to information request.

Canadian Anti-Fraud Centre says spear-phishing scams increasingly difficult to investigate.

A "malicious actor" masquerading as a former Mint employee reached out to the Crown corporation's human resources department pretending to need a change to their bank account details. (Reuters)

The Royal Canadian Mint fell for what's known as a "spear-phishing" scam and almost forked over anemployee's paycheque to fraudsters, according to a breach reportobtained through access to information.

Spear-phishing is a type of fraudwhich seesswindlers carefully collect information on a target in order to impersonate them. It'sone of the "most common and most dangerous attack methods" and it's getting increasingly difficult to investigate, says a bulletin issued by the Canadian Anti-Fraud Centre last month.

In the Mint's case, a "malicious actor" masquerading as a former Mint employee reached out to the Crown corporation's human resources department back in February. The scam artistrequesteda change to a real former employee's bank account information for payroll purposes, according to a copy of the incident report obtained by CBC News through access to information.

After some back-and-forth emails, a human resources worker at the Mint thinking they were talking to the real former employee changed the banking information. They also gave the fraudster a pay stub, as requested.

Luckily, the receiving bank rejected the payroll deposit. The funds were returned to the Mint and theformer employee lost nothing.

The surrendered pay stub, however,included the former employee's address, employee number, payroll information (including annual salary) and the last four digits of her bank account.

"It's regrettable that there was a privacy breach," said Alex Reeves, senior manager of public affairs for the Mint.

"We take this kind of thing very seriously and you can't let down your guard when it comes to preventing that sort of thing."

Significant losses are common

Jeff Thomson, a senior RCMP intelligence analyst with the Canadian Anti-Fraud Centre, said the agency is seeing a rise in payroll spoofing scams, a variation of spear-phishing.

The scamsucceeds because it's hard to detect and exploits an existing relationship of trust, he said.

"Oftentimes it can result in significant losses," Thomson said. "It typically falls in our top two in terms of dollar loss in the amount of money that the victims can lose."

According to recent figures, more than a half a million dollars has been lost to spear-phishing and wire fraud scams so far this year.

A spokesperson for the Royal Canadian Mint says no money was lost in the spear-phishing attempt. (Brent Lewin/Bloomberg)

The Mint later found out the affected individual was a victim of identity theft and had been hit with fraudulent credit card activity.

The report says the malicious actor (or actors) used the former employee's social insurance number and date of birth in those credit card transactions. The Mint said there's no evidence to suggest that information came from the Crown corporation.

The former employeehas reached out to Ottawa Police and the Mint said it has cooperated with the investigation.

Thomson said spear-phishing scams are often international inscope and hard to investigate.

"So the tactics the fraudsters employ certainly make it more difficult to track them down," he said. "And it's challenging in investigating when you're crossing jurisdictions."

While spear-phishingemails can be sophisticated, Thomson said people should watch out for spelling errors, unsolicited messages or emails from high-ranking officials who aren't normally in contact with the subject. Other red flags in spear-phishing messagesinclude requests forabsolute confidentiality or attempts toramp up pressure on the target.

Reeves said the Mint has taken corrective measures, including security and privacy training tailored to its human resources department.

"Phishing and scams like that are a concern facing organizations like ours on a regular basis," he said. "We have to be vigilant."

Add some good to your morning and evening.

Your weekly guide to what you need to know about federal politics and the minority Liberal government. Get the latest news and sharp analysis delivered to your inbox every Sunday morning.

...

The next issue of Minority Report will soon be in your inbox.

Discover all CBC newsletters in theSubscription Centre.opens new window

This site is protected by reCAPTCHA and the Google Privacy Policy and Google Terms of Service apply.