The City of Ottawa’s treasurer fell victim to an increasingly prevalent form of cyber attack last year, costing Ottawa more than $100,000 to a U.S. fraudster, the city’s audit committee heard Monday.
The city’s auditor general Ken Hughes reported findings from this past year’s audits at Monday’s meeting as well as an investigation into a reported transfer of funds to a fraudster south of the border.
Hughes confirmed that his investigation found that city treasurer Marian Simulik was scammed into sending roughly US$98,000 from Ottawa’s treasury to a fraudulent account in July 2018.
The phishing email purported to be from city manager Steve Kanellakos, and asked Simulik to wire the money to a specified account in order to complete an acquisition on behalf of the city. Simulik sent a few emails back and forth with the fraudster and ultimately signed off on the transfer, with the city’s treasury branch issuing the funds later that day.
Five days later, another phishing email instructed Simulik to send some US$150,000 for a similar purpose, but this time she was attending a city council meeting and was seated next to Kanellakos himself. When she asked him about the email, he said he had no knowledge of the request, at which point both realized the city had fallen victim to fraud.
Simulik then reported the incident to the city’s IT branch, which in turn involved the auditor general. The resultant investigation turned up a similar incident earlier that spring, in which a phishing email purporting to be from the CEO of the Ottawa Public Library requested a wire transfer, but the treasury branch contacted the proper authority and did not act on that scam.
There are still hopes that the city might get some of the money back. City staff were informed after the incident that one of the accounts involved in the scam was being monitored by the United States Secret Service and that an individual related to the matter had been arrested and now awaits trial. The city might recover “some of its losses” as a result of the U.S. authorities’ involvement, which Hughes noted during the meeting is rare in similar cases of fraud.
Simulik made a heartfelt statement to the committee expressing embarrassment at having fallen victim to the scam following nearly three decades as a steward of the public purse. She told the committee the incident had affected her “deeply, both professional and personally.”
Simulik, who is retiring from her post at the end of the year, added she won’t be commenting further while the matter is before the courts. Following his investigation, Hughes concluded there was no fraudulent wrongdoing by Similuk or any other city staff.
Kanellakos also defended Simulik’s actions, noting that incidents of fraudsters targeting individuals with access to significant funds – a process dubbed “whaling” in cybersecurity – are on the rise across the industry.
