Phisher impersonating Sandpiper Ventures received $573,000.
An Invest Nova Scotia (Invest NS) employee’s email was the subject of an email breach and phishing attack, resulting in $573,000 being transferred to an imposter’s bank account in a breach left undiscovered for two weeks.
Invest NS told BetaKit that it took immediate steps to contain the unauthorized access once discovered.
Invest NS, the province’s economic development agency, told BetaKit in an email statement that it is working with the Department of Justice, and that it has filed a court application as part of a civil process to “recoup the funds from the Royal Bank of Canada (RBC) that were transferred as a result of cyber fraud.” Halifax Regional Police are also investigating the incident.
BetaKit has reached out to RBC for comment.
Invest NS explained to BetaKit that it received a request from a partner for an installment payment relating to a routine, ongoing investment transaction on May 16. Six days later, on May 22, Invest NS said it received another email that appeared to be from the same contact person but with new banking instructions for an account at RBC.
Invest NS added that the change in banking instructions request was corroborated through a follow-up email that appeared to be from another contact person within the partner organization.
Invest NS said it discovered that funds had been misdirected on June 6, two weeks after it had sent approximately $573,000 to the RBC account on May 23, as a result of a targeted cyber attack that accessed an employee email account. Invest NS said RBC confirmed that it was holding the “majority of funds” on June 10, and that the bank froze the account in question as part of the police investigation.
RELATED: BDC among those to experience interruptions as part of CrowdStrike outage
The breach was first reported by the Halifax Examiner on Friday. The Examiner reported that an affidavit and accompanying exhibits were filed with the court last week by Stephanie Corvese, a manager of digital forensics with Grant Thornton Canada. The filing shows that the transfer was the result of a breach in an Invest NS employee email, and that the funds were intended for Halifax-based venture capital (VC) firm Sandpiper Ventures.
Invest NS is the result of an amalgamation between Innovacorp and Nova Scotia Business Inc. in 2022 as part of a broader strategy by the provincial government to bring together five economic development and infrastructure organizations. In 2021, one of the predecessors to Invest NS invested $5 million into Sandpiper’s first VC fund, which would focus on backing women-led startups.
The Examiner reported that Corvese found that, after an effective phishing campaign to secure login credentials, an “unauthorized user” through a virtual private network (VPN) located in Moscow, Russia, logged into the employee’s Microsoft email account days before the transfer. The unauthorized user then viewed an email chain discussing the request for an installment payment. The attacker proceeded to impersonate both Sandpiper CFO Steven Carr and managing partner Cathy Bennett from an “@sandplper” email domain, which replaced the lowercase “i” in Sandpiper with an lowercase “l.” The sender told the targeted employee that Sandpiper’s banking details had changed, providing details to the now-frozen RBC account.
Invest NS told BetaKit that it has an information technology forensic investigation underway and that it took immediate steps to contain the unauthorized access once discovered. This included deactivating the specific email account, resetting all employee passwords, and locking down its server from accepting logins from jurisdictions deemed high risk.
Featured image courtesy Invest Nova Scotia via LinkedIn.