Connect with us

Hi, what are you looking for?



Canadian City Loses $500,000 to Phishing Attack

The City of Burlington, Ontario, revealed Thursday that it fell prey to “a complex phishing email” that cost the City CAD $503,000 (around USD $375,000). Few details have yet been released.

The City of Burlington, Ontario, revealed Thursday that it fell prey to “a complex phishing email” that cost the City CAD $503,000 (around USD $375,000). Few details have yet been released. “To maintain the integrity of ongoing investigations, the City will not be commenting further at this time,” it announced.

Although the City describes the incident as a phishing fraud, it bears all the hallmarks of the business email compromise (BEC) genre of phishing.

“On Thursday, May 23, the City of Burlington discovered it was a victim of fraud. A single transaction was made to a falsified bank account as a result of a complex phishing email to City staff requesting to change banking information for an established City vendor,” the announcement reads. “The transaction was in the form of an electronic transfer of funds made to the vendor in the amount of approximately $503,000 and was processed on May 16.”

Neither the name of the member of staff nor the department he or she worked in has been revealed, although it is clear his position is of enough seniority to authorize large payments on behalf of the City.

Burlington mayor Marianne Meed Ward commented, “This was a case of online fraud with falsified documents at a level of sophistication not typically seen and we are taking the necessary steps to prevent it from happening in the future. This stresses just how important it is that we are all vigilant and recognize the signs of online fraud, phishing and other scams, and report them to the proper authorities — so that no one becomes a victim of this type of criminal activity.”

“Humans remain the weakest link in any organization,” commented Ilia Kolochenko, founder and CEO of ImmuniWeb. “Properly implemented security controls can reduce the risk of human error but not eliminate it. Worse, cybercriminals will now purposely target smaller organizations that cannot afford to invest in their cybersecurity. Organizations of all sizes should continuously invest in their human capital via security training and security awareness seminars.”

Municipalities have, for this very reason, become prime targets for cybercriminals over the last few years. It is tempting for politicians to spend available funds on something visible to the people rather than unseen cybersecurity defenses. In the long run, this is a false economy. The City of Atlanta declined to pay a ransom of around $50,000 in March 2018 — but subsequently had to pay $2.7 million to contractors to help recovery; and later estimated that it would need a total of $9.5 million.

Advertisement. Scroll to continue reading.

BEC is a major and growing threat to organizations of all sizes. Criminals forge or take over email accounts to send authentic-looking emails to senior management, requesting (usually, urgently) that funds be wired to a fake bank account. In April this year, the latest U.S. Internet Crime Report from the FBI revealed that there were more than 20,000 victims of BEC and email account compromise (EAC) during 2018 — with a total loss of $1.298 billion.

Nevertheless, despite the frequency of BEC attacks, the Burlington fraud is one of the largest single reported frauds to date. Between 2013 and 2015, a Lithuanian citizen used BEC against Facebook and Google employees, and stole in excess of $100 million. In this case, most of the money was recovered, and the perpetrator was arrested in March 2017. 

BEC is expected to increase. In most cases, it is high return and low risk for the attacker. At the time of the publication of this year’s Verizon DBIR, Alex Pinto, head of Verizon security research, told SecurityWeek, “why bother hacking companies when we can just email the CFO and get him to send us money?”

Related: New Variant of BEC Seeks to Divert Payroll Deposits 

Related: Business Email Compromise Still Reigns 

Related: Alphabet’s Jigsaw Helps Users Identify Phishing Attacks 

Related: Security Awareness Training Firm KnowBe4 Raises $300 Million

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...