Scam email impersonating Ottawa city manager tricked treasurer into wiring $128K to fraud supplier

It's possible the city may recover some — but not all — of the funds lost, according to the Office of the Auditor General. The Canadian Press Images/Francis Vachon

A spoofed email that impersonated the manager of the City of Ottawa tricked the city treasurer into wire-transferring nearly USD$98,000 — or about CAD$128,000 — to a fraudulent supplier in July 2018, according to the city auditor general’s office.

The transfer of USD$97,797.20 from the city’s coffers on July 6 went to an American bank account and was moved again to a second American account at a different institution, which the United States Secret Service happened to be monitoring, according a report released on Monday by the independent Office of the Auditor General (OAG).

By early August 2018, the U.S. Secret Service seized the account and traced some of the money it contained to the transfer made by city treasurer Marian Simulik. As a result, there’s a chance the city may recover some — but not all — of the funds, the OAG said.

READ MORE: City of Ottawa’s auditor general plans to probe Stage 2 LRT procurement

Story continues below advertisement

Simulik and city manager Steve Kanellakos reportedly realized the July 6 email had been a scam on July 11, when Simulik received a second request for a wire transfer — this time for an extra USD$154,238 – while she was at a city council meeting. That prompted her to ask Kanellakos about the wire transfer requests in person, OAG staff said. When Kanellakos indicated he didn’t know a thing about them, Simulik reported the incidents to the city’s technology security branch.

The treasurer did not process the second requested wire transfer. A visibly emotional Simulik told councillors on the audit committee on Monday that “the sophisticated attack” – which the OAG identified as a common fraud scheme called the “fake CEO scam” –  has affected her “deeply both professionally and personally.”

“I’ve prided myself on responsible and professional stewardship of taxpayers’ money for the last 28 years,” she said.

“I want the committee to know that throughout this incident, I believed I was in compliance with city policy and procedures. To my knowledge, I was following instructions given by the city manager, which I do routinely.”

WATCH (Jan. 30, 2019): EEDC swindled out of $375K in phishing scheme
Click to play video: 'EEDC swindled out of $375K in phishing scheme' EEDC swindled out of $375K in phishing scheme
EEDC swindled out of $375K in phishing scheme – Jan 30, 2019

While the amount of money demanded was in line with payments Simulik typically handles as treasurer, Kanellakos described the wire transfer request as “unusual,” telling councillors he’s never had to request payment in that way in the course of his work.

Story continues below advertisement

Asked whether the request should have then set off alarm bells for Simulik, Kanellakos said “no” and defended his colleague.

“It seemed like a routine matter, even though I may not have sent something in the past or specifically about this,” Kanellakos told reporters following the meeting. “It was done in a way that it was very familiar in terms of the way the emails went back and forth – from what I saw after – and for her, it would’ve been a routine delegation of authority for me to ask her to do something.”

READ MORE: City dollars spent on Mercedes Sprinter vans ‘unjustified’ in many cases — auditor general

Kanellakos told councillors the type of attack that targeted Simulik is called “whaling.” These spoofed email addresses prey on senior or high-profile executives with access to company resources and research “relationships, authority levels and writing styles to make the email appear as effective as possible,” he said.

The OAG commended Kanellakos and Simulik for their “prompt actions” to address the issue once they realized what had happened.

During his investigation into the July 2018 incident, Hughes said he requested records of the city’s wire transfers dating back to 2016 and said he found “no evidence” of other fraudulent payments.

Similar spoofed email sent in spring 2018 was never reported

He did, however, find out that the city treasurer received a similar (but not identical) spoofed email requesting a wire transfer back in the spring of 2018 – but that attempt was never reported to the technology security team, nor to the OAG, Hughes said.

Story continues below advertisement

The sender appeared to be the CEO of the Ottawa Public Library but the email request didn’t contain any banking information, the OAG’s report said. Treasury branch staff followed up with the library’s actual CEO, who told them she hadn’t sent the original email, and they didn’t process the transfer.

READ MORE: Auditor general issues damning audit of city’s Springhill landfill contract

Asked why that attempt was never reported, deputy city treasurer Isabelle Jasmin said the city receives a lot of phishing emails and its policy is to delete them if no interaction with the sender has occurred.

As part of 10 recommendations issued to the City of Ottawa following its investigation, Hughes’ office suggested that staff report “all attempts to defraud the City where City staff have corresponded with and/or begun taking the requested action” to the OAG.

OAG finds ‘dangerous’ weaknesses in wire transfer controls, lack of fraud awareness training at city

The OAG investigation found “dangerous” weaknesses in the controls for the city’s wire transfer process, according to the report, including the absence of any “formal written City authorization limits” on wire transfers and that any one of five authorized employees could, on their own, “both create and release a wire transfer up to $25 million.”

Jasmin said the treasury department has already acted to ensure that no one individual can both create and approve the same transaction, and it is currently reviewing the monetary limits for wire transfers.“I don’t want this one incident to call into question the effectiveness of our accounts payable process,” Kanellakos told councillors, noting that the city processes more than 350,000 payments every year, valued around $3 billion. “This report did point out some weaknesses in the city’s processes and we’ve moving quickly to tighten controls.
“This has been a difficult learning experience and staff are acting to ensure that history does not repeat itself.”
WATCH (Apr. 4, 2018): Edmonton university recovers millions lost in phishing scam
Click to play video: 'Edmonton university recovers millions lost in phishing scam' Edmonton university recovers millions lost in phishing scam
Edmonton university recovers millions lost in phishing scam – Apr 4, 2018
In its investigation, the OAG also identified what it argued was “a lack of fraud awareness” among city staff.
“In January 2018, the findings from a Technology Security phishing test reflected a 26.5 per cent failure rate which is above the industry average of 15 per cent,” the report stated.
The city’s IT department has developed a work plan for “regular fraud awareness messaging for staff” – including automatic warnings about external email senders. The department also recently launched a “corporate-wide, mandatory cyber awareness training program” for employees, Kanellakos told the audit committee.

Ottawa police notified of fraudulent transfer, but did not investigate

The city’s technology security branch reported the July 6 fraudulent transfer to the Ottawa Police Service on July 11 but was ultimately told that police couldn’t help them out because the wire transfer has been completed, according to the OAG report.

Story continues below advertisement

Now that the OAG investigation is complete (Kanellakos and Simulik had to recuse themselves from the file), the city manager said he plans to have a conversation with the police chief to understand why that decision was taken.

READ MORE: How to avoid email phishing scams

It was the U.S. Secret Service who notified the RCMP when it had seized the phoney supplier’s account and identified the City of Ottawa’s money. The national police force then flagged Ottawa police, who alerted the city on Aug. 3, 2018.

City solicitor Rick O’Connor said he is in contact with authorities in the U.S. He said the individual allegedly responsible for defrauding the city has been arrested and will be tried in Florida later this year.

Auditor general reports on eight other audits in annual report

Hughes and his staff on Monday also presented the office’s latest annual report, which detailed the scope and findings of eight audits from the 2016, 2017 and 2018 work plans.

Councillors appeared particularly frustrated with the findings of an audit of leased, city-owned property conducted between January 2016 and the spring of 2018, which found “inadequate” oversight, deficiencies in records management, “inadequately monitored” overhold leases, no leasing policy, no inventory of vacancies and a lack of required insurance.

Story continues below advertisement

“For a city like Ottawa with a very large lease portfolio, council and taxpayers assume that managers are maximizing the return on the investment that the city has in that portfolio,” Hughes said after the meeting. “There is a lot of work that has to be done in the real restate area to ensure that they are maximizing the return on the investment.”

READ MORE: Three city workers fired, many more disciplined in 2017 after tips to fraud hotline

The Office of the Auditor General issued a total of 30 recommendations to city staff in that investigation, and Hughes said the city has agreed to implement them all.

Following the presentation on the annual report, Kanellakos told councillors that city managers are “very diligent” in implementing recommendations from the auditor general, in part because they know the independent office will conduct followups on its audits.

Sponsored content