WestLake-Gladstone fell victim to a 'malicious' cyberattack during the 2019 holiday season
It was a quiet day in January 2020 when the administrative head of a rural southwest Manitoba town noticed a series of unusual cash withdrawals from his bank account.
He quickly alerted his assistant, pointing out how money had been sent to several bank accounts that the city government never handled.
"It was like a mad scramble to try and figure out what was going on," said Kate Halashewski, who at the time was the assistant head of administration for the Municipality of WestLake-Gladstone.
"As the day progresses and [we] dig through the documents... it's like withdrawal after withdrawal after withdrawal."
Little did they know that while the approximately 3,300 residents of WestLake-Gladstone were enjoying the holiday season, the city's government had fallen victim to a sophisticated cyber attack — involving a bogus company tricking over a dozen students and new Canadians into acting as middlemen to defraud the city government. more than $470,000.
Job offer
It starts with a job advertisement.
An apparently legitimate company, with a professional website and a Nova Scotia address, claims to be looking for a money processor.
The contract is for one month. Employees can work from home.
They are told they will receive payment to their credit card, which they will hopefully transfer to their bank account. They will then withdraw the payment, convert it to bitcoins, and send it to another account.
"This company advertises on a number of major job websites where you'd expect people to be looking for work," Corporal says. Tarek Rabie, with the RCMP financial crimes unit. In an interview with CBC News, Rabie went through the RCMP's investigation into the attack and explained how fraudsters were able to cyberheist without being detected.
The majority of the 18 people employed are young and live in communities across the country. Most were new Canadians, said Rabie.
"Individuals will be referred to - that's not a flattering term - but as money mules," he said.
In this case, 18 "money mules" were deemed unwitting participants, lured into the company using what Rabie described as "professionally prepared" documents created to "trap" them.
A CBC News reporter looked at the agreements signed by these new employees outlining their working conditions.
The four-page document includes a seal with the company name and company number, signed by the company's development manager.
The only requirements for the job are access to the internet, a telephone, knowledge of internet banking and proximity to a bitcoin machine.
Anyone who does an internet search for the company will find a professional website, with information that matches what is provided in the employment agreement.
Phishing emails
In early December 2019, cybercriminals sent phishing emails to several people in the municipal offices of WestLake-Gladsone, a municipality about 150 kilometers west of Winnipeg, on the southwestern shore of Lake Manitoba.
At least one person clicked on the link, which allowed hackers into the city's computers and bank accounts.
But weeks passed and nothing happened, so RM didn't report it to the police. Only after the money went missing did the city government discover that the two incidents were linked, Halashewski said.
Rabie doesn't believe the municipality is being specifically targeted, but it's unfortunate enough that an employee has clicked on the malicious link.
"Most tend to get sent to as many email addresses as possible, hoping someone clicks on it," he says.
Phishing scams typically send emails with "lure", such as promising a reward or impersonating a government to persuade someone to click on a link.
"Once a computer network is compromised, it usually spreads from one computer to another," said Rabie.
Court documents say that on December 19, 2019, someone logged into the city government's bank account and changed the password, along with personal verification questions.
Over the next 17 days, the cyber attackers added 18 "employees" who were hired as payees and began making systematic withdrawals, transferring money to the employees' credit cards.
Dozens of withdrawals were made, totaling $472,377, according to court documents — a sizable amount for a municipality with an entire annual budget of $7 million.
The withdrawal went unnoticed until January 6, when Halashewski noticed 48 bank transfers — less than $10,000 each — coming into foreign accounts.
“That is really concerning,” said the former CAO assistant who left his job in June 2021.
Where did the money go
Rabie said the 18 workers were paid several hundred dollars in commissions for accepting transfers.
He suspects that most newcomers to Canada take the job because of "their unfamiliarity with Canadian employment procedures ... and their desire to get a job."
After they complete the initial transfer and conversion, the bitcoins are then sent to the scammers' personal accounts – which cybersecurity experts say are most likely not located in Canada.
Once the money leaves Canada's banking institutions, it becomes more difficult to trace, because officials no longer have the jurisdiction to get warrants easily, explained Sgt. Guy Paul Larocque, with the RCMP's Canadian Anti-Fraud Centre.
"The fact that the world is global makes it easier for perpetrators to target victims... [from] any region of the world," he said.
Meanwhile, for months, residents of WestLake-Gladstone had no idea about the cyberattack or the missing money.
"I guess... you'd wish you could figure out why, or find out where it went before you had to tell someone," Halashewski said when asked about the delay in notifying residents.
"Because wouldn't it be better to say to someone, 'Oh, yeah, you know, this thing happened, but we found it and fixed it.'"
The city government finally announced it had lost nearly half a million dollars in an October 12, 2020 news release.
It said the municipality was a "target of a dangerous cybersecurity breach" in which large sums of money were stolen from RM's bank account.
Lawsuit filed
Around the city, rumors began to circulate, with accusations that someone within the municipality was involved – a charge the city government denied.
The RCMP said there was no evidence that anyone in the community was involved in the attack.
Behind the scenes, there is a fight between the city government and its financial institution, Stride Credit Union, and its insurance provider, Western Financial Group.
Both refused to cover up the defeat of WestLake-Gladstone.
In an effort to compensate for those losses, the city government filed a lawsuit in Court of King's Bench against Stride in March 2021 and against Western Financial Group in December 2021.
Both remain before the court.
Stride Credit Union's defense statement claims the city has not conducted a full forensic audit of its IT systems, despite the credit union's request.
The statement also claims the city government has not provided additional information when requested by the credit union.
Western Financial's defense statement said there was no protection for fraudulent fund transfers or computer fraud under RM's policy.
Municipal officials did not respond to requests for comment for this story.
Stride Credit Union and Western Financial Group declined to comment as the matter is still in court.
Insurance may offer no protection: expert
Imran Ahmad, a cybersecurity expert and attorney in Montreal with the firm Norton Rose Fulbright, said his law firm tracked or handled 500 cases of cyberattacks in 2022, up significantly from 320 in 2021.
"And that's just one company in Canada," he said.
Police also say cybercrime is on the rise. Police-reported crimes continue to increase from more than 27,000 five years ago to more than 70,000 incidents in 2021, according to Statistics Canada.
But officials estimate that only five to 10 percent of incidents are reported.
"I can tell you it's not a crime that will go away," said RCMP's Larocque.
As for insurance, Ahmad says "the devil in the details" will you be covered after a cyber attack.
He said it's rare to find a policy that will cover the kind of harm a city government suffers — especially when a business or organization is attacked via email phishing scams.
"If someone can log into the municipality's system or log into an email account where the username and password are available, or they can do a password reset, it's in the municipality or organization," he said.
The province ordered an investigation
In a rare move, a provincial government cabinet directive was made earlier this year for the Manitoba auditor general to conduct an investigation into the operations of "multiple municipalities, including the municipality of WestLake-Gladstone."
The government document, published in September, said the city's relations department heard concerns from residents in the city with "respect for council governance, financial management, oversight and public accountability."
No arrests have been made in connection with the WestLake-Gladstone cyber attack and the RCMP said it is no longer under active investigation. This article was written by EDUKASI CAMPUS.