University employees were fooled by phishing email asking them to change banking information for one of their main vendors.

MacEwan University blames admin error for losing $11.8m dollars. They said no safeguards were in place before. University says now more than 1 person would be required to change any banking information so this does not happen again.

The fraud happened when hackers created a website that looks exactly like university’s main vendor’s website.  After sending phishing emails, hackers asked university to pay millions of dollars of service fees university normally pays but with different banking information.

It only took 9 days to lose $11.8m before anyone realized that something was up. First was for $1.9m , second payment was for $22,000 and then last one was for $9.9m. Maybe they would have lose more money if not for actual vendor calling them to see why they have not been paid yet.

Some people were surprised how university that advises students to watch out for phishing attacks gets duped itself:

This story is wacky. I just can't… how does a university fall for a phishing scam!? https://t.co/VlzUPq4kxr

— Emma Graney (@EmmaLGraney) August 31, 2017

Where did the money go? The money was initially transferred to an account in Montreal, and then off to 2 different accounts in Hong Kong.

University does not think it was a collusion between university employees and hackers. Employees were entry level employees. University also says they expect to recover the funds and going to be able to meet all their financial obligations.