City of Ottawa treasurer fell victim to US$100K phishing scam: auditor general

city hall

The City of Ottawa’s treasurer fell victim to an increasingly prevalent form of cyber attack last year, costing Ottawa more than $100,000 to a U.S. fraudster, the city’s audit committee heard Monday.

The city’s auditor general Ken Hughes reported findings from this past year’s audits at Monday’s meeting as well as an investigation into a reported transfer of funds to a fraudster south of the border.

Hughes confirmed that his investigation found that city treasurer Marian Simulik was scammed into sending roughly US$98,000 from Ottawa’s treasury to a fraudulent account in July 2018.

The phishing email purported to be from city manager Steve Kanellakos, and asked Simulik to wire the money to a specified account in order to complete an acquisition on behalf of the city. Simulik sent a few emails back and forth with the fraudster and ultimately signed off on the transfer, with the city’s treasury branch issuing the funds later that day.

Five days later, another phishing email instructed Simulik to send some US$150,000 for a similar purpose, but this time she was attending a city council meeting and was seated next to Kanellakos himself. When she asked him about the email, he said he had no knowledge of the request, at which point both realized the city had fallen victim to fraud.

Simulik then reported the incident to the city’s IT branch, which in turn involved the auditor general. The resultant investigation turned up a similar incident earlier that spring, in which a phishing email purporting to be from the CEO of the Ottawa Public Library requested a wire transfer, but the treasury branch contacted the proper authority and did not act on that scam.

There are still hopes that the city might get some of the money back. City staff were informed after the incident that one of the accounts involved in the scam was being monitored by the United States Secret Service and that an individual related to the matter had been arrested and now awaits trial. The city might recover “some of its losses” as a result of the U.S. authorities’ involvement, which Hughes noted during the meeting is rare in similar cases of fraud.

Simulik made a heartfelt statement to the committee expressing embarrassment at having fallen victim to the scam following nearly three decades as a steward of the public purse. She told the committee the incident had affected her “deeply, both professional and personally.”

Simulik, who is retiring from her post at the end of the year, added she won’t be commenting further while the matter is before the courts. Following his investigation, Hughes concluded there was no fraudulent wrongdoing by Similuk or any other city staff.

Kanellakos also defended Simulik’s actions, noting that incidents of fraudsters targeting individuals with access to significant funds – a process dubbed “whaling” in cybersecurity – are on the rise across the industry.

“The treasurer acted – based on what she had every reason to believe was my authority – to process this transaction. She didn’t break any rules,” he said.

The city has since reviewed its wire transfer policies in an attempt to safeguard against similar attacks, but Kanellakos added the fraud was a “difficult learning experience.”

Indeed, Hughes pointed to better education as the best response for avoiding future cyber scams. He mentioned an experiment in January 2018 in which the city’s IT branch purposefully sent deceptive phishing emails to municipal employees to test the city’s cybersecurity waters. Some 27 per cent of employees clicked on a suspicious link in the email, which Hughes said was nearly double the industry standard of 15 per cent.

Some councillors on the audit committee said they were concerned this was the first they had heard about an incident that occurred nine months ago. Hughes responded by saying he didn’t know the depth of the fraud until he had done the investigation and therefore couldn’t be sure what needed to be reported until then.

AG seeks to review LRT stage 2 procurement

Elsewhere at Monday’s meeting, Hughes revised his work plan for the coming year to include a look at the procurement process for the second stage of Ottawa’s light-rail transit system. The $4.7-billion project and largest such contracts in the city’s history have come under fire since CBC reported that SNC-Lavalin, the contractor picked to develop the LRT’s north-south extension, failed to meet the technical requirements for the project.

Hughes said he received numerous calls from councillors and concerned residents to investigate the procurement process, which has been largely protected under the cover of confidentiality agreements between the city and bidders for the project. Capital Coun. Shawn Menard said at the end of the most recent council meeting that he would request Hughes investigate the decision-making process on stage 2 LRT.

In order to take on the newly requested review, Hughes would have to push an audit on the city’s travel and hospitality industry to 2020.

The auditor general’s work plan must be approved by city council before Hughes moves forward with his investigations.