Ontario brewery lost $2.1 million in email bank scam

Another Canadian company has fallen for an email invoice scam.

Waterloo Brewing, an Ontario maker of beers, said it recently fell victim to a “social engineering cyberattack by a sophisticated third party” that resulted in the wire transfer of $2.1 million earlier this month.

Details were sketchy, but the company said in a news release Nov. 21 that someone pretended to be the employee of a brewery creditor and requested the money transfer.

Often called a business email compromise scam, these incidents usually involve a criminal telling a person in the finance department that their company has changed banks or bank accounts and funds should now be sent to the new account.

The brewery has tried and failed to recover the money. It has notified Waterloo Region Police, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) and the United States’ Finance Crimes and Enforcement Network (FinCEN).

Private sector firms, municipalities and churches have been among the victims of this type of scam, which relies on people who receive these email requests trusting they came from a real person. Sometimes the attacker impersonates a senior executive of the victim’s own firm.

Usually, the attacker spoofs the trusted person’s email to enhance credibility or hacks an official’s email so the sender’s address is legitimate.

Related story: How the city of Ottawa was stung by email fraud

There are several strategies organizations can use to fight this kind of scam. First, staff handling money have to be trained to be suspicious of email requests to change bank accounts and independently verify them. That means not calling a telephone number in the email to confirm the move, because that likely means calling the attacker. Internal email messages should be colour-coded to distinguish from those coming from outside the enterprise. That will highlight a message from a purported company official if it is being spoofed from an outside email address.

Related story: How to reduce the odds of business email fraud

“It’s all about social engineering,” said Dinah Davis, vice-president of Arctic Wolf Networks, a California-based SOC-as-a-service firm with a large development team in Waterloo. As a result, employee awareness training is vital, she said. Part of that is emphasizing the need for independent verification of requests for bank account changes or large transfers of funds.

She also said it’s easy for email admins to either colour-code external messages or flag them with an “External” tag automatically added to the subject line.


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs