Hydro-Québec accidentally paid $460K to scammer pretending to be supplier
Cyber-security experts say ‘supplier scams’ increasingly common
Hydro-Québec has admitted it inadvertently paid more than $450,000 to someone pretending to be one of its suppliers.
Montreal newspaper La Presse first reported the information this morning.
Caroline Des Rosiers, a spokesperson for the Crown corporation, confirmed to CBC News in an email that on July 8, one of its suppliers was the victim of a fraud where confidential information was stolen.
"Using this information, the fraudster modified the bank details used by Hydro-Québec for bill payment," Des Rosiers said.
"An amount of $463,968.19 was therefore paid into an account that was not that of the supplier," she said.
"It is important to emphasize that only the supplier's systems were targeted. At no time or in any way were Hydro-Québec's computer systems compromised," Des Rosiers added.
She said the utility had filed a complaint with provincial police.
'Weakest link in the chain'
"This is the most popular type of supplier scam," cyber-security expert Claudiu Popa told CBC News in an interview.
Popa said fraudsters use a phishing scheme where they either hijack the email account of a supplier or use a very similar email address to request a change to the account where payments are made.
"The change in payment account is not noticed or it's ignored and the payment goes through, and sadly it doesn't get detected for weeks," Popa said.
Steve Waterhouse, a cyber-security consultant based in Sherbrooke said fraudsters deliberately target suppliers, who often have less stringent cyber-security protocols.
"Cyber criminals basically just look at where is the weakest link in all that chain of events and money transfers. They will just pinpoint that weakness and exploit it," Waterhouse said.
Experts say more checks and balances needed
Popa said that even if Hydro-Québec's system wasn't breached, the utility should have been able to flag the suspicious transfer.
"Many organizations out there just rely on the supply chain just managing itself, and we're seeing that that's a catastrophic approach to doing things," Popa said.
Both Popa and Waterhouse said there are things Hydro-Québec and other large organizations can do to prevent this type of fraud.
Waterhouse said that begins with training.
"Everyone from the supplier to the one who's giving out the contracts, they have to make sure everybody is made aware these situations can happen, and then train and educate them," Waterhouse said.
He suggested adding an extra approval step in any large payment midway through the process, so that companies and their suppliers can verify with each other that everything is legitimate.
Popa said organizations that rely on supply chains have to have better checks and balances.
"They have to verify any change that takes place in payment details of any kind, whether it's a name or a phone number or an email address or a bank account," he said.
Popa also suggested corporations run regular simulations of these types of frauds to test their security measures.
Hydro-Québec said it's launched an internal review.
"In accordance with our practice of reviewing our internal procedures on an ongoing basis, an analysis is underway to identify any improvements that could be made," Des Rosiers said.