A Calgary vision centre is suing a Winnipeg company, a bank and others, alleging fraudsters accessed an employee’s email and took more than $700,000 through a shadowy bank wire scheme.
The statement of claim filed by Clearview Eye Centre last week in Manitoba Court of King’s Bench alleges unidentified fraudsters, named in the suit as John Doe and Jane Doe, infiltrated the email of Clearview’s office manager and impersonated employees of another business the vision centre was working with.
Clearview had hired Jerilyn Wright and Associates, a design firm, and Persimmon Contracting for work on construction of the eye centre’s clinic, the lawsuit says.
The vision centre first received a legitimate email from staff at Jerilyn Wright and Associates on July 9, 2024, with an invoice for around $105,000 to be paid to Persimmon Contracting. Several JWA and Persimmon employees were copied on the email.
On July 23, Clearview received a followup email that appeared to be from JWA and seemed to have the same employees cc’d.
It was later discovered the email was actually from the fraudsters, and the cc’d email addresses were slightly different, with just one letter changed in each address.
The fraudsters claimed Persimmon’s banking information had changed, and that it would no longer be accepting cheques, the suit says.
A second fraudulent email, sent July 26, indicated the payment for the July 9 invoice should instead be wired to an account at a Winnipeg Bank of Nova Scotia branch.
The account was under the name “10197150 Manitoba.” According to the Manitoba Companies office, 10197150 — the company named as a defendant in the suit — is a sole proprietorship that has a registered place of business in Winnipeg.
Clearview wired the nearly $105,000 payment to the Scotiabank account on July 29, believing it was paying Persimmon, the statement of claim says.
The fraudsters sent two more invoices – on Aug. 6 and Sept. 11 – for roughly $253,000 and $357,000. Those payments were once again sent to the Winnipeg bank account, the suit says.
It wasn’t until a meeting on or around Sept. 26 that Clearview discovered Persimmon had not actually received the payment for the three invoices, the suit says.
‘Social engineering attack’
Jason Kolaski, president of Winnipeg computer support company Constant C Technology Group, says this type of fraud is becoming more commonplace, and can severely impact long-term business relationships.
“This involves two parties now that were working together.… Now there’s going to be an issue between them, and these ones are hard to resolve,” said Kolaski.
“You’re in a situation where, ‘I paid for something, [but] you didn’t get the money.'”
The lawsuit says though the emails were fraudulent, the invoices used in the scheme were legitimate and had been intercepted after the fraudsters accessed the email account of Clearview’s office manager.
“We call it a social engineering attack,” said Claudiu Popa, co-founder of KnowledgeFlow, a Toronto-based non-profit that promotes online safety.
“As part of social engineering, somebody is fooled into making a payment, transferring cash or some other financial transaction,” Popa said.
“You find the right people [and] you email them invoices — preferably with company names that they recognize,” said Popa.
Most similar cases involve hacking an employee’s emails via phishing emails, said Popa, or through a method called “password stuffing,” where a password is found on a publicly available list or database and used on an account.
“When you do that, you’ve taken control of that person’s identity. You’ve become them, so since you’re them, you are trusted by all the people who trust that individual,” said Popa.
In many cases, banks don’t have the processes in place to notify clients of a high-risk account, and “do not sufficiently scrutinize the information that they are given, like … the corporate information that they’re given,” said Popa.
The Scotiabank account the money was wired to has been temporarily frozen, according to the lawsuit.
The Bank of Nova Scotia, which is named as a defendant in the suit, responded to a request for comment on Friday afternoon.
“We are co-operating with the investigation of this external fraud event to help recover funds lost due to the fraudulent activity. As this matter is before the courts, we cannot comment further,” Scotiabank media relations spokesperson Katie Raskina said.
No statements of defence have been filed, and none of the allegations in the lawsuit have been tested in court.
CBC also contacted Clearview, JWA and Persimmon but did not receive comment prior to publication.
‘Can’t take an email at face value’
Clearview’s lawsuit is seeking an order to trace the three payments made to the Scotiabank account, as well as an order to have the money returned.
It also wants an order directing Scotiabank to disclose information to identify the fraudsters and the owners of the bank account.
As well, it claims damages of nearly $697,000 from John and Jane Doe, and any other unidentified people involved in the fraud.
Kolaski says no business can protect itself from cybersecurity breaches 100 per cent of the time, but recommends vendors always be called if there’s a notice their payment information has changed.
“You can’t take an email at face value of a banking change information,” he said.
The Canadian Anti-Fraud Centre says during the first half of this year, $284 million was lost to fraud. The centre had processed nearly 22,000 fraud reports this year, as of June 30.