Small businesses and vulnerable people are not the only ones to be victims of scammers: Hydro-Québec has just been the victim of a “supplier fraud” of nearly half a million dollars, according to a source familiar with the matter and as confirmed by the Crown corporation itself.
What there is to know
- A fraudster illegally got his hands on a payment of nearly $500,000 from Hydro-Québec this month.
- The police are investigating the case.
- Experts say this type of fraud is common.
A fraudster allegedly impersonated a company with which Hydro-Québec does business in order to change the bank details to which payments are directed. A total of $463,968.19 is now missing.
This type of ploy is relatively common in the business world and companies should be extra careful to guard against it, according to cybersecurity experts.
In response to questions from The Presslast Friday, Hydro-Québec confirmed that an investigation had been launched into this situation.
“On July 8, a Hydro-Québec supplier was the victim of fraud, which resulted in the theft of confidential information,” said spokesperson Caroline Des Rosiers by email.
Using this information, the fraudster changed the bank details used by Hydro-Québec to pay bills. An amount of $463,968.19 was therefore paid into an account that was not that of the supplier.
Caroline Des Rosiers, spokesperson for Hydro-Québec
Hydro-Québec filed a complaint with the Sûreté du Québec (SQ).
“It is important to emphasize that only the supplier’s systems were targeted,” assured Mr.me Des Rosiers. At no time and in no way were Hydro-Québec’s computer systems compromised. That said, in accordance with our practice of reviewing our internal procedures on an ongoing basis, an analysis is underway to identify any improvements that could be made.
“It’s regular”
According to two cybersecurity experts, this type of fraud is far from rare in Quebec.
This is the kind of case that I unfortunately deal with regularly. It is not daily, but it is regular in companies that have poor control systems.
Paul Laurier, ex-police officer and boss of the Vigiteck firm
Laurier said tighter checks can often prevent this type of scam. “Normally, there are supposed to be several checks before changing account numbers in payment systems,” he said. “It’s surprising. I don’t understand how the control didn’t work internally.”
Steve Waterhouse, a cybersecurity consultant, is also working on several of these cases.
Hydro-Québec, “it’s their turn,” said Mr. Waterhouse in a telephone interview. “A weak link, a third party was exploited so that Hydro would transfer this money.” The expert does not blame Hydro-Québec, but rather the supplier.
Cybersecurity consultant Steve Waterhouse would like to see the Quebec government adopt stricter cybersecurity requirements for its suppliers, as the federal government and the American government already do.
According to the two experts, it is possible that an employee of Hydro-Québec or the supplier is involved in this scam, particularly to target a payment of this size.
Hydro-Québec’s “corporate cybersecurity” department employed nearly 300 people last May, according to an article in Montreal JournalIn 2020, there were half as many. The service’s budget also increased from 52 million to 81 million over the same period.
In total, the state-owned company has more than 20,000 employees.