It was a quiet January day in 2020 when the chief administrative officer of a rural southwestern Manitoba municipality noticed a series of unusual cash withdrawals from his bank account.
He quickly alerted his assistant, showing how the money was sent to several bank accounts that the municipality never dealt with.
“It’s kind of like a mad scramble to figure out what’s going on,” said Kate Halashewski, who was assistant chief administrative officer for the Municipality of WestLake-Gladstone at the time.
“As the day passes and [we’re] digging through documents…it’s like withdrawal after withdrawal after withdrawal.”
Little did they know that while the nearly 3,300 residents of WestLake-Gladstone were enjoying the holiday season, the municipality was the victim of a sophisticated cyberattack — a fake company tricking dozens of students and new Canadians into acting as intermediaries. It cost the municipality more than $470,000.
It started with a job ad.
A legitimate-looking company with a professional website and a Nova Scotia address claimed to be looking for cash processors.
The contract was for one month. Employees could work from home.
They were told that they were expected to receive payments on their credit cards and transfer them to their bank accounts. They would then withdraw the payments, convert them into bitcoins and send them to another account.
“This company was advertising on a number of major job sites where you would expect people to be looking for work,” said Cpl. Tarek Rabie with the RCMP’s financial crimes unit.
In an interview with CBC News, Rabie went through the RCMP’s investigation into the attack and explained how the crooks were able to pull off the cyberheist without being detected.
Most of the 18 people recruited were young people and lived in different communities across the country. Most were new Canadians, Rabie said.
“Individuals will be referred to — it’s not a flattering term — as money mules,” he said.
In this case, 18 “money mules” were unwitting participants, drawn into the company using “professionally crafted” documents that Rabie created to “catch” them.
A CBC News reporter reviewed the contract signed by these new employees, which outlines their terms of employment.
The four-page document contained a stamp with the company’s name and corporate number, signed by the company’s development manager.
The only requirements for the job were internet access, a phone, knowledge of internet banking and proximity to a bitcoin machine.
Anyone doing an internet search for a company will find a professional website with information that matches the employment contract.
In early December 2019, cybercriminals sent a phishing email to multiple people at the municipal office of WestLake-Gladsone, a municipality located on the southwest shore of Lake Manitoba, about 150 kilometers west of Winnipeg.
At least one person clicked on a link that allowed hackers to access the municipality’s computers and bank accounts.
But weeks went by and nothing happened, so RM didn’t report it to the police. It was only after the money disappeared that the municipality discovered the two incidents were connected, Halashevsky said.
Rabie doesn’t believe the municipality was specifically targeted, but it was unfortunate that an employee clicked on the malicious link.
“Most of it is sent to as many email addresses as possible, hoping that everyone will click on it,” he said.
Phishing scams usually send emails with “lures” such as promising a reward or impersonating the government to get someone to click on a link.
“When a computer network is compromised, it usually spreads from one computer to another,” Rabie said.
Court documents state that on December 19, 2019, a person accessed the municipality’s bank account and changed its password along with personal verification questions.
Over the next 17 days, the cyber attackers added 18 “employees” hired as paymasters and began systematically transferring money to the employees’ credit cards.
According to court documents, dozens were taken, totaling $472,377 — a significant amount for a municipality with an entire annual budget of $7 million.
The funds went undetected on Jan. 6 when Halashevsky saw 48 wire transfers of less than $10,000 each go to unfamiliar accounts.
“It was really disturbing,” said the former assistant CAO, who left the job in June 2021.
Rabie said the timing of the attack during the holiday was no coincidence.
“The person waited for the office to be empty to start the suspicious transactions because otherwise he would have been detected sooner.
“[It] probably showed some forethought and planning.”
After the employees realized the transactions were unauthorized, they notified the RCMP and the municipality’s credit union, who froze the account and recovered just under $50,000.
Where did the money go?
Rabie said 18 employees were paid several hundred dollars in commissions to accept the transfers.
He suspects that most of the people taking the job are newcomers to Canada because of their “unfamiliarity with Canadian employment procedures … and their desire for gainful employment.”
After they completed the initial transfers and conversion, the bitcoin was then sent to the fraudsters’ personal account — which cyber security experts say they don’t have in Canada.
Once the money leaves a Canadian banking institution, it becomes harder to track because officers no longer have the authority to easily obtain warrants, explained Sgt. Guy Paul Larocque with the RCMP’s Canadian Fraud Centre.
“The fact that the world is global makes it easier for criminals to mainly target victims… [from] in any region of the world,” he said.
Meanwhile, for months, the citizens of WestLake-Gladstone had no idea about the cyber attack or the missing money.
“I think you would hope you could find a reason or find out where it’s going before you tell anybody,” Halashewski said when asked about the delay in explaining to residents.
“Because wouldn’t it be better to say to somebody, ‘Oh, well, you know, this thing happened, but we found it and fixed it.'”
The municipality finally announced in a news release dated October 12, 2020 that it had lost nearly half a million dollars.
He said the municipality was the “target of a malicious cyber security attack” in which a “significant” amount of money was stolen from the RM’s bank account.
Lawsuits were filed
Accusations began to circulate in the rumor mill around town that someone within the municipality was involved – claims that the municipality has denied.
RCMP say there is no evidence that anyone from the community was involved in the attack.
Behind the scenes, there was a lawsuit between the municipality and its financial institution, Stride Credit Union, and Western Financial Group, an insurance provider.
Both declined to cover WestLake-Gladstone’s loss.
To recover these losses, the municipality filed a lawsuit in the Court of King’s Bench against Stride in March 2021 and Western Financial Group in December 2021.
Both remain on trial.
Stride Credit Union’s statement of defense alleges that the municipality did not conduct a full forensic audit of its IT system, despite the credit union’s request.
The statement also claims that the municipality did not provide additional information when requested by the credit union.
Western Financial’s statement of defense said there was no coverage for wire transfers or computer fraud under RM’s policy.
City officials did not respond to a request for comment for this story.
Both Stride Credit Union and Western Financial Group declined to comment because the matter is still before the courts.
Insurance may not offer protection: expert
Imran Ahmed, a Montreal-based cybersecurity expert and lawyer at Norton Rose Fulbright, says his law firm is tracking or dealing with 500 cyberattacks in 2022.
“And that’s just one firm in Canada,” he said.
Police also say cybercrime is on the rise. According to Statistics Canada, police-reported crimes rose from just over 27,000 five years ago to more than 70,000 incidents in 2021.
But according to officials, only 5-10 percent of incidents are reported.
“I can tell you this is not a crime that’s going to go away,” said Larocque of the RCMP..
When it comes to insurance, Ahmed said the “devil is in the details” about whether you’ll be covered after a cyber attack.
He said it’s rare to find a policy that will cover the losses a municipality faces — especially when a business or organization is targeted by an email scam.
According to him, the municipality is responsible for keeping its passwords safe.
“If someone is able to access the municipality’s systems or access an email account that has a username and password or reset the password, it is the responsibility of the municipality or that organization.”
The province orders an investigation
In a rare move, Manitoba’s auditor general was directed by the provincial government’s cabinet earlier this year to investigate the operations of “various municipalities, including the municipality of WestLake-Gladstone.”
A government document published in September said the municipal relations department had listened to citizens’ concerns about “council governance, financial management, oversight and public accountability” in those municipalities.
No arrests have been made in connection with the WestLake-Gladstone cyberattack, and RCMP said it is no longer under active investigation.