The Royal Canadian Mint fell for what’s known as a “spear-phishing” scam and almost forked over an employee’s paycheque to fraudsters, according to a breach report obtained through access to information.
Spear-phishing is a type of fraud which sees swindlers carefully collect information on a target in order to impersonate them. It’s one of the “most common and most dangerous attack methods” and it’s getting increasingly difficult to investigate, says a bulletin issued by the Canadian Anti-Fraud Centre last month.
In the Mint’s case, a “malicious actor” masquerading as a former Mint employee reached out to the Crown corporation’s human resources department back in February. The scam artist requested a change to a real former employee’s bank account information for payroll purposes, according to a copy of the incident report obtained by CBC News through access to information.
After some back-and-forth emails, a human resources worker at the Mint — thinking they were talking to the real former employee — changed the banking information. They also gave the fraudster a pay stub, as requested.
Luckily, the receiving bank rejected the payroll deposit. The funds were returned to the Mint and the former employee lost nothing.
The surrendered pay stub, however, included the former employee’s address, employee number, payroll information (including annual salary) and the last four digits of her bank account.
“It’s regrettable that there was a privacy breach,” said Alex Reeves, senior manager of public affairs for the Mint.
“We take this kind of thing very seriously and you can’t let down your guard when it comes to preventing that sort of thing.”
Significant losses are common
Jeff Thomson, a senior RCMP intelligence analyst with the Canadian Anti-Fraud Centre, said the agency is seeing a rise in payroll spoofing scams, a variation of spear-phishing.
The scam succeeds because it’s hard to detect and exploits an existing relationship of trust, he said.
“Oftentimes it can result in significant losses,” Thomson said. “It typically falls in our top two in terms of dollar loss in the amount of money that the victims can lose.”
According to recent figures, more than a half a million dollars has been lost to spear-phishing and wire fraud scams so far this year.
The Mint later found out the affected individual was a victim of identity theft and had been hit with fraudulent credit card activity.
The report says the malicious actor (or actors) used the former employee’s social insurance number and date of birth in those credit card transactions. The Mint said there’s no evidence to suggest that information came from the Crown corporation.
The former employee has reached out to Ottawa Police and the Mint said it has cooperated with the investigation.
Thomson said spear-phishing scams are often international in scope and hard to investigate.
“So the tactics the fraudsters employ certainly make it more difficult to track them down,” he said. “And it’s challenging in investigating when you’re crossing jurisdictions.”
While spear-phishing emails can be sophisticated, Thomson said people should watch out for spelling errors, unsolicited messages or emails from high-ranking officials who aren’t normally in contact with the subject. Other red flags in spear-phishing messages include requests for absolute confidentiality or attempts to ramp up pressure on the target.
Reeves said the Mint has taken corrective measures, including security and privacy training tailored to its human resources department.
“Phishing and scams like that are a concern facing organizations like ours on a regular basis,” he said. “We have to be vigilant.”