The Edmonton Economic Development Corporation (EEDC) has filed a lawsuit to recover funds lost to a phishing scam which resulted in the theft of $375,000.
A statement of claim names a numbered company and its incorporator, Sithira Pranavan Arutjothy, as defendants. Postmedia News reported that EEDC’s claim seeks the recovery of not just the funds that were lost, but also calls for Arutjothy and his company to pay another $250,000 in damages.
CIBC and TD Bank were also named as defendants. EEDC has obtained court orders for the banks to divulge information related to the fund transfer at the heart of the scam.
The EEDC is a non-profit whose functions include marketing and promotion, convention centre management, and business development. One of its main roles is the promotion of tourism in Edmonton, which the group achieves in part via advertising at Edmonton International Airport.
On October 31, 2018, the EEDC received an invoice for tourism ads from the Edmonton Regional Airport Authority. This in itself was not out of the ordinary, but a hacker had exploited this piece of information, the organization claims.
A month later, on November 27, 2018, EEDC received an email from a contact claiming to be with the airport. That contact advised that payments by cheque would no longer be accepted, and instead the invoice for the ads should be paid either electronically or by bank/wire transfer, court documents outlined.
On that same day, EEDC sent the payment electronically.
On December 20, 2018, the EEDC was notified by CIBC that TD Bank was attempting to validate the legitimacy of the transaction. According to the bank, the beneficiary named in the transfer did not match the bank account’s beneficiary, which was a numbered company.
EEDC checked with the airport and found that the impostor who emailed them in November had used the email suffix “@fyeia.com” instead of the Edmonton International Airport’s official “@flyeia.com.”
Terry Curtis, EEDC vice president of communications, said that the agency believes a hacker broke into the network and went through email messages to select a contact to impersonate.
“Being one letter off in an email address that is impersonating a known person that we speak to every day — day in, day out. It was just a really simple error,” Curtis mentioned.
The agency now knows where the money has gone.
“It was split up, it went in a number of directions. There are portions of it that are still in frozen accounts, some of it was converted into cash, and some of it is tied up in third-party transactions,” explained Curtis.
Since its discovery of the scam, the EEDC has implemented new financial controls and checks. The organization has also put its staff through cyber security training.