The City of Ottawa’s treasurer was duped in an email scam, unknowingly transferring nearly US$100,000 to a phoney supplier, councillors heard Monday.
Auditor general Ken Hughes and his audit staff revealed the results of a fraud investigation, laying out the sequence of events that led to treasurer and corporate services general manager Marian Simulik’s wiring US$97,797.20 to a fake supplier, thinking it was a legitimate email from her boss, city manager Steve Kanellakos.
Simulik received the email on July 6, 2018 and approved the funds.
On July 11, 2018, Simulik received another email, again looking like it was from the city manager, asking for US$154,238. When she talked with the city manager, he said he had no knowledge of the request. The money transfer in the July 11 request wasn’t made and the treasurer alerted the city’s information technology department and staff called the Ottawa Police Service.
But the $97,797.20 of taxpayer money was already gone.
According to the auditor general, Ottawa police at the time said that since the wire transfer was completed, there was nothing they could do.
As it turns out, the U.S. Secret Service was monitoring an American bank account tied to the fraudulent money transfers. U.S. authorities seized US$88,000, but those funds also included payments from another victim. The city is now hoping to recover some of its funds.
A man was arrested in relation to the U.S. criminal investigation. His trial in Miami is scheduled to start in July.
“It was pure luck (the Secret Service) were monitoring this particular account,” Hughes said.
Hughes said there was no indication of wrongdoing by city staff.
It was a spoof email that tricked Simulik. The fraudster’s actual email address could have been revealed by hovering a cursor over the city manager email address.
Here’s what the fraudster wrote to the treasurer, as laid out in Hughes’s investigative report:
“Okay, I want you to take care of this for me personally, I have just been informed that we have had an offer accepted by a new international vendor, to complete an acquisition that i have been negotiating privately for some time now, in line with the terms agreed, we will need to make a down payment of 30% of their total, Which will be $97,797.20. An announcement is currently being drafted and will be announced next week, once the deal has been executed, for now, I don’t want to go into any more details. Until we are in a position to formally announce the acquisition I do not want you discussing it with anybody in the office, any question please email me. Can you confirm if international wire transfer can go out this morning?”
The rest is history.
Kanellakos said the treasurer was the victim of a “whaling” cyber attack, which targets high-level executives in an organization.
Someone tried to trick the treasurer before July, too.
According to the auditor general, an email in spring 2018 came in from someone purporting to be the chief executive of the Ottawa Public Library asking for funds. The email, however, didn’t have the required banking information. When the library executive was contacted for banking details, she said she never sent the original email. There was no money transfer, but it wasn’t reported to the city’s technology security or the auditor general.