The City of Burlington, Ontario, revealed Thursday that it fell prey to “a complex phishing email” that cost the City CAD $503,000 (around USD $375,000). Few details have yet been released. “To maintain the integrity of ongoing investigations, the City will not be commenting further at this time,” it announced.
Although the City describes the incident as a phishing fraud, it bears all the hallmarks of the business email compromise (BEC) genre of phishing.
“On Thursday, May 23, the City of Burlington discovered it was a victim of fraud. A single transaction was made to a falsified bank account as a result of a complex phishing email to City staff requesting to change banking information for an established City vendor,” the announcement reads. “The transaction was in the form of an electronic transfer of funds made to the vendor in the amount of approximately $503,000 and was processed on May 16.”
Neither the name of the member of staff nor the department he or she worked in has been revealed, although it is clear his position is of enough seniority to authorize large payments on behalf of the City.
Burlington mayor Marianne Meed Ward commented, “This was a case of online fraud with falsified documents at a level of sophistication not typically seen and we are taking the necessary steps to prevent it from happening in the future. This stresses just how important it is that we are all vigilant and recognize the signs of online fraud, phishing and other scams, and report them to the proper authorities — so that no one becomes a victim of this type of criminal activity.”
“Humans remain the weakest link in any organization,” commented Ilia Kolochenko, founder and CEO of ImmuniWeb. “Properly implemented security controls can reduce the risk of human error but not eliminate it. Worse, cybercriminals will now purposely target smaller organizations that cannot afford to invest in their cybersecurity. Organizations of all sizes should continuously invest in their human capital via security training and security awareness seminars.”
Municipalities have, for this very reason, become prime targets for cybercriminals over the last few years. It is tempting for politicians to spend available funds on something visible to the people rather than unseen cybersecurity defenses. In the long run, this is a false economy. The City of Atlanta declined to pay a ransom of around $50,000 in March 2018 — but subsequently had to pay $2.7 million to contractors to help recovery; and later estimated that it would need a total of $9.5 million.
BEC is a major and growing threat to organizations of all sizes. Criminals forge or take over email accounts to send authentic-looking emails to senior management, requesting (usually, urgently) that funds be wired to a fake bank account. In April this year, the latest U.S. Internet Crime Report from the FBI revealed that there were more than 20,000 victims of BEC and email account compromise (EAC) during 2018 — with a total loss of $1.298 billion.
Nevertheless, despite the frequency of BEC attacks, the Burlington fraud is one of the largest single reported frauds to date. Between 2013 and 2015, a Lithuanian citizen used BEC against Facebook and Google employees, and stole in excess of $100 million. In this case, most of the money was recovered, and the perpetrator was arrested in March 2017.
BEC is expected to increase. In most cases, it is high return and low risk for the attacker. At the time of the publication of this year’s Verizon DBIR, Alex Pinto, head of Verizon security research, told SecurityWeek, “why bother hacking companies when we can just email the CFO and get him to send us money?”
Related: New Variant of BEC Seeks to Divert Payroll Deposits
Related: Business Email Compromise Still Reigns
Related: Alphabet’s Jigsaw Helps Users Identify Phishing Attacks
Related: Security Awareness Training Firm KnowBe4 Raises $300 Million

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
More from Kevin Townsend
- Threat Actor Abuses SuperMailer for Large-scale Phishing Campaign
- Quantum Decryption Brought Closer by Topological Qubits
- IBM Delivers Roadmap for Transition to Quantum-safe Cryptography
- CISO Conversations: HP and Dell CISOs Discuss the Role of the Multi-National Security Chief
- Court Rules in Favor of Merck in $1.4 Billion Insurance Claim Over NotPetya Cyberattack
- Open Banking: A Perfect Storm for Security and Privacy?
- Apiiro Launches Application Attack Surface Exploration Tool
- Phylum Adds Open Policy Agent to Open Source Analysis Engine
Latest News
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
