The Canadian Anti-Fraud Centre (CAFC), located in North Bay reports an unidentified Canadian business could have lost over $600,000 to fraud if not for quick action by police.
On February 2 an OPP member seconded to the CAFC was notified by a CAFC call taker that a Canadian victim business reported a Spear Phishing fraud. A United States Secret Service (USSS) representative was contacted regarding the fraud.
The Secret Service quickly contacted the US financial institution, which received the transfer and froze approximately $615,820 (CND) of the victim's funds.
"As a result of the timely reporting to the CAFC, and the quick action of the members from each organization, the business is well positioned to recover the funds," says a news release.
John Armit is the Acting Detective Sergeant with the Anti-Rackets Branch of the OPP.
He told BayToday that had the company not reported to the CAFC as quickly as they did and had he not acted on the report just as quickly, the funds would have been laundered to the fraudsters.
Armit says there are two victims in this matter.
"The first victim is the Canadian manufacturing company located in Mississauga, who had their email systems compromised. The US victim company had requested to purchase equipment from the Canadian victim company. Due to the compromised email, the fraudsters sent a spoofed email requesting a change in wire payment directions to a US victim company, which transferred the funds. The Canadian victim was subsequently contacted by another customer who had also received a spoofed email requesting a payment change. The Canadian company sent messages to their clients warning of the fraud/compromise. As a result, the USSS was able to contact the US financial institution that received the fraudulent wire transfer and later froze the funds."
Armit says that the CAFC has seen consistent reporting over the past three years of Spear Phishing frauds. Last year it was $58.2 million, in 2022 - $58.1 million, and 2021 $54.2 million.
"It is estimated that only 5-10 per cent of victims report their frauds to the CAFC," he adds. "So one can only imagine the volume of Spear Phishing that is occurring within Canada. "
No arrests have been made in the case.
The CAFC is Canada's central repository for data, intelligence, and resource material that relates to fraud. It does not conduct investigations but provides valuable assistance to law enforcement agencies all over the world. CAFC is jointly managed by the Royal Canadian Mounted Police, the Competition Bureau Canada, and the Ontario Provincial Police. The CAFC was originally known as Phonebusters, which was created by the OPP and remains headquartered in North Bay.
Spear phishing frauds represented $58.2 million in reported losses to the CAFC in 2023. Ontario victims reported losing over $21.3 million.
Fraudsters send messages to a targeted business or individual's email account, often to the accounts payable department. Fraudsters will create an email address similar to the targeted company's email address to appear as though the email is originating from a trusted source like a supplier or contractor. The fraudster will request an urgent payment to an alternate bank account for an invoice that is due.
In addition, fraudsters may send malware and if an employee clicks on it, a rule will be created to send copies of incoming emails to one of the fraudster's email accounts. Fraudsters will take their time to collect information, study the language of their intended targets, and look for important contacts, payments, and dates so they can send convincing emails from a seemingly trusted source.
Fraudsters launch their attack when an accounts payable invoice has been identified.
How to protect yourself
- Remain current on frauds targeting businesses and educate all employees by visiting the CAFC website
- Include fraud and cyber training as part of new employee's orientation
- Avoid opening unsolicited emails or clicking on suspicious links or attachments
- Take a few seconds to hover over an email address or link and confirm that they are correct
- Restrict the amount of information shared publicly and show caution concerning social media
- Create detailed payment procedures, including verbal authentication for any urgent requests or changes in payment details
- Create a verification step for unusual requests
- Establish fraud-identifying, managing, and reporting procedures
- Ensure to upgrade and update technical security software
If you become a victim of fraud or know someone who has, contact your local police service to report the crime and report it to the CAFC at 1-888-495-8501 or online on the Fraud Reporting System (FRS), even if a financial loss did not occur.