City treasurer was victim of a 'whaling' scam, transferred $100K to phoney supplier

JON WILLING
Updated: April 10, 2019

City treasurer Marian Simulik. G A R T H G U L L E K S O N / O T T A W A C I T I Z E N

The City of Ottawa’s treasurer was duped in an email scam, unknowingly

transferring nearly US$100,000 to a phoney supplier, councillors heard
Monday.

Auditor general Ken Hughes and his audit staff revealed the results of a fraud investigation, laying out the
sequence of events that led to treasurer and corporate services general manager Marian Simulik’s wiring
US$97,797.20 to a fake supplier, thinking it was a legitimate email from her boss, city manager Steve Kanellakos.
Simulik received the email on July 6, 2018 and approved the funds.

On July 11, 2018, Simulik received another email, again looking like it was from the city manager, asking for
US$154,238. When she talked with the city manager, he said he had no knowledge of the request. The money
transfer in the July 11 request wasn’t made and the treasurer alerted the city’s information technology
department and staff called the Ottawa Police Service.

But the $97,797.20 of taxpayer money was already gone.

According to the auditor general, Ottawa police at the time said that since the wire transfer was completed, there
was nothing they could do.

As it turns out, the U.S. Secret Service was monitoring an American bank account tied to the fraudulent money
transfers. U.S. authorities seized US$88,000, but those funds also included payments from another victim. The
city is now hoping to recover some of its funds.

A man was arrested in relation to the U.S. criminal investigation. His trial in Miami is scheduled to start in July.
“It was pure luck (the Secret Service) were monitoring this particular account,” Hughes said.
Hughes said there was no indication of wrongdoing by city staff.

It was a spoof email that tricked Simulik. The fraudster’s actual email address could have been revealed by
hovering a cursor over the city manager email address.

Here’s what the fraudster wrote to the treasurer, as laid out in Hughes’s investigative report:
“Okay, I want you to take care of this for me personally, I have just been informed that we have had an offer
accepted by a new international vendor, to complete an acquisition that i have been negotiating privately for
some time now, in line with the terms agreed, we will need to make a down payment of 30% of their total, Which
will be $97,797.20. An announcement is currently being drafted and will be announced next week, once the deal
has been executed, for now I don’t want to go into any more details. Until we are in a position to formally
announce the acquisition I do not want you discussing it with anybody in the office, any question please email me.
Can you confirm if international wire transfer can go out this morning?” The rest is history.

Kanellakos said the treasurer was the victim of a “whaling” cyberattack, which targets high-level executives in an
organization.

Someone tried to trick the treasurer before July, too.

According to the auditor general, an email in spring 2018 came in from someone purporting to be the chief
executive of the Ottawa Public Library asking for funds. The email, however, didn’t have the required banking
information. When the library executive was contacted for banking details, she said she never sent the original
email. There was no money transfer, but it wasn’t reported to the city’s technology security or the auditor
general.

The finance and procurement departments are developing a communication to all management to reinforce the
policies and procedures for payments to vendors, city management said in its response to Hughes’s investigation.
Normal procedures would have the payment go through the accounts payable branch or financial services unit,
the auditor general said.

An emotional Simulik faced council’s audit committee to express how upset she is over the ordeal.
“I have prided myself for responsible and professional stewardship of taxpayers’ money for the last 28 years,”
Simulik said. “That I should be the target and the victim of this sophisticated attack has affected me deeply both
professionally and personally.”

Simulik, who’s a highly respected senior manager at city hall, is retiring at the end of 2019.
The auditor general didn’t find any other money transfers to fraudulent suppliers in recent years. Hughes said
auditors went to the city’s bank and asked for a list of every wire transfer going back to 2016. They were all
justified and appropriately approved, he said.

In the case of the phoney email to the treasurer, the purported supplier to be paid the city money wasn’t a
regular city supplier, Hughes said.

The investigation found “dangerous control weaknesses” when it came to wire transfers. The city is reviewing the
process.

Hughes said auditors asked both Kanellakos and previous city manager Kent Kirkpatrick if they had ever asked the
treasurer to do a wire transfer by email. Neither could recall making that kind of request, Hughes said.
Kanellakos defended Simulik.

“The fact is, the treasurer acted based on what she had every reason to believe was my authority to process this
transaction. She didn’t breach any rules,” Kanellakos said

Kanellakos said the case shouldn’t call into question the city’s accounts payable process, since more than 350,000
payments are processed each year, collectively valued at more than $3 billion. Accounts payable was audited
already and a followup audit is in the works, he said.

Deputy city treasurer Isabelle Jasmin said the city is acting on all of the auditor’s recommendations to tighten
technology and financial controls.