The treasurer of the city of Ottawa, Marian Simulik, fell for a business email compromise (BEC) scam and sent $100,000 to a scammer, the city’s auditor general revealed this week. Simulik received an email last July from a fraudster posing as the city manager.

The email asked her to wire the money to an IT supplier in the US. Ottawa’s website was undergoing an overhaul at the time, and Simulik assumed the request was related to this. She researched the IT supplier and conversed with the attacker via email before sending the money to a bank account in the US.

Simulik realized her error several days later, when she received another bogus request for $150,000. This email arrived when she was at a council meeting with the city manager, so she asked him personally about the request. The manager knew nothing about the matter, and Simulik told him about the money transfer that took place days earlier. Simulik was apparently mortified that she fell for the scam.

"That I should be the target and victim of this sophisticated attack has affected me deeply both professionally and personally," she said.

Ottawa’s auditor general also revealed that the treasurer’s office had been targeted by a different BEC attack several months earlier, when an email purporting to come from the CEO of the city’s public library requested a money transfer. This incident was identified as a scam before any money was sent, but treasury staff failed to report the event to security personnel.

In response to these incidents, the city has implemented measures to prevent the same employee from creating and approving a money transfer. It also plans to require mandatory awareness training for city employees. New-school security awareness training can help your employees identify these scams by confirming that emails are legitimate before acting on them.

Read the full story at