A small town in Manitoba, WestLake-Gladstone (population about 3300), fell victim to a social engineering campaign. The municipal government seems to have been a target of opportunity, but it lost some $433 thousand to scammers.
The scam began with a gig economy job offer. “A seemingly legitimate company, with a professional website and a Nova Scotia address, claimed it was looking for cash processors. The contract was for one month. Employees could work from home,” the CBS explained. “They were told they would receive payments to their credit cards, which they would be expected to move to their bank accounts. They would then withdraw the payments, convert them into bitcoin, and send that to another account.”
All a prospective “cash processor” needed to qualify were a phone, Internet access, and familiarity with online banking. Also, they would need “proximity to a bitcoin machine.” If the aspiring cash processors did an Internet search for their prospective employer, they would “find a professional website, with information matching what was provided in the employment agreement.” And it came with a Nova Scotia address, just to lend verisimilitude to the scam.
The offer itself was phishing, and eventually someone in Westlake-Gladstone followed a malicious link that enabled the crooks to gain access to the municipal bank accounts. The local government noticed something was amiss when they saw withdrawals, each one less than $10 thousand, being made with money sent to unfamiliar destinations.
“It was a quiet January day in 2020 when the chief administrative officer of a southwestern Manitoba rural municipality noticed the series of unusual cash withdrawals from its bank account. She quickly alerted her assistant, showing how money had been sent to multiple bank accounts the municipality had never dealt with. ‘It was just kind of like a mad scramble to try and figure out what was going on,’ said Kate Halashewski, who at the time was the assistant chief administrative officer for the Municipality of WestLake-Gladstone.”
The Royal Canadian Mounted Police has the case under investigation, but of course it's better to avoid being victimized in the first place. New-school security awareness training can give any team appropriate skepticism about social engineering, however small-scale or subtle it may appear.
CBC has the story.