A spoofed email that impersonated the manager of the City of Ottawa tricked the city treasurer into wire-transferring nearly USD$98,000 — or about CAD$128,000 — to a fraudulent supplier in July 2018, according to the city auditor general’s office.
The transfer of USD$97,797.20 from the city’s coffers on July 6 went to an American bank account and was moved again to a second American account at a different institution, which the United States Secret Service happened to be monitoring, according a report released on Monday by the independent Office of the Auditor General (OAG).
By early August 2018, the U.S. Secret Service seized the account and traced some of the money it contained to the transfer made by city treasurer Marian Simulik. As a result, there’s a chance the city may recover some — but not all — of the funds, the OAG said.
Simulik and city manager Steve Kanellakos reportedly realized the July 6 email had been a scam on July 11, when Simulik received a second request for a wire transfer — this time for an extra USD$154,238 – while she was at a city council meeting. That prompted her to ask Kanellakos about the wire transfer requests in person, OAG staff said. When Kanellakos indicated he didn’t know a thing about them, Simulik reported the incidents to the city’s technology security branch.
The treasurer did not process the second requested wire transfer. A visibly emotional Simulik told councillors on the audit committee on Monday that “the sophisticated attack” – which the OAG identified as a common fraud scheme called the “fake CEO scam” – has affected her “deeply both professionally and personally.”
“I’ve prided myself on responsible and professional stewardship of taxpayers’ money for the last 28 years,” she said.
“I want the committee to know that throughout this incident, I believed I was in compliance with city policy and procedures. To my knowledge, I was following instructions given by the city manager, which I do routinely.”
While the amount of money demanded was in line with payments Simulik typically handles as treasurer, Kanellakos described the wire transfer request as “unusual,” telling councillors he’s never had to request payment in that way in the course of his work.
Asked whether the request should have then set off alarm bells for Simulik, Kanellakos said “no” and defended his colleague.
“It seemed like a routine matter, even though I may not have sent something in the past or specifically about this,” Kanellakos told reporters following the meeting. “It was done in a way that it was very familiar in terms of the way the emails went back and forth – from what I saw after – and for her, it would’ve been a routine delegation of authority for me to ask her to do something.”
Kanellakos told councillors the type of attack that targeted Simulik is called “whaling.” These spoofed email addresses prey on senior or high-profile executives with access to company resources and research “relationships, authority levels and writing styles to make the email appear as effective as possible,” he said.
The OAG commended Kanellakos and Simulik for their “prompt actions” to address the issue once they realized what had happened.
During his investigation into the July 2018 incident, Hughes said he requested records of the city’s wire transfers dating back to 2016 and said he found “no evidence” of other fraudulent payments.
Similar spoofed email sent in spring 2018 was never reported
He did, however, find out that the city treasurer received a similar (but not identical) spoofed email requesting a wire transfer back in the spring of 2018 – but that attempt was never reported to the technology security team, nor to the OAG, Hughes said.
The sender appeared to be the CEO of the Ottawa Public Library but the email request didn’t contain any banking information, the OAG’s report said. Treasury branch staff followed up with the library’s actual CEO, who told them she hadn’t sent the original email, and they didn’t process the transfer.
Asked why that attempt was never reported, deputy city treasurer Isabelle Jasmin said the city receives a lot of phishing emails and its policy is to delete them if no interaction with the sender has occurred.
As part of 10 recommendations issued to the City of Ottawa following its investigation, Hughes’ office suggested that staff report “all attempts to defraud the City where City staff have corresponded with and/or begun taking the requested action” to the OAG.
OAG finds ‘dangerous’ weaknesses in wire transfer controls, lack of fraud awareness training at city
The OAG investigation found “dangerous” weaknesses in the controls for the city’s wire transfer process, according to the report, including the absence of any “formal written City authorization limits” on wire transfers and that any one of five authorized employees could, on their own, “both create and release a wire transfer up to $25 million.”
“This has been a difficult learning experience and staff are acting to ensure that history does not repeat itself.”WATCH (Apr. 4, 2018): Edmonton university recovers millions lost in phishing scam
Ottawa police notified of fraudulent transfer, but did not investigate
The city’s technology security branch reported the July 6 fraudulent transfer to the Ottawa Police Service on July 11 but was ultimately told that police couldn’t help them out because the wire transfer has been completed, according to the OAG report.
Now that the OAG investigation is complete (Kanellakos and Simulik had to recuse themselves from the file), the city manager said he plans to have a conversation with the police chief to understand why that decision was taken.
READ MORE: How to avoid email phishing scams
It was the U.S. Secret Service who notified the RCMP when it had seized the phoney supplier’s account and identified the City of Ottawa’s money. The national police force then flagged Ottawa police, who alerted the city on Aug. 3, 2018.
City solicitor Rick O’Connor said he is in contact with authorities in the U.S. He said the individual allegedly responsible for defrauding the city has been arrested and will be tried in Florida later this year.
Auditor general reports on eight other audits in annual report
Hughes and his staff on Monday also presented the office’s latest annual report, which detailed the scope and findings of eight audits from the 2016, 2017 and 2018 work plans.
Councillors appeared particularly frustrated with the findings of an audit of leased, city-owned property conducted between January 2016 and the spring of 2018, which found “inadequate” oversight, deficiencies in records management, “inadequately monitored” overhold leases, no leasing policy, no inventory of vacancies and a lack of required insurance.
“For a city like Ottawa with a very large lease portfolio, council and taxpayers assume that managers are maximizing the return on the investment that the city has in that portfolio,” Hughes said after the meeting. “There is a lot of work that has to be done in the real restate area to ensure that they are maximizing the return on the investment.”
The Office of the Auditor General issued a total of 30 recommendations to city staff in that investigation, and Hughes said the city has agreed to implement them all.
Following the presentation on the annual report, Kanellakos told councillors that city managers are “very diligent” in implementing recommendations from the auditor general, in part because they know the independent office will conduct followups on its audits.