Skip to main content
  • Cybersecurity

Waterloo Brewing discloses social engineering attack that cost $2.1 million

By Jon Lewis
Product Marketing

This morning Waterloo Brewing announced that earlier in November they experienced a social engineering cyberattack that has cost them $2.1 million CAD. 

They said this attack involved impersonation and a fraudulent wire transfer. As far as they’re aware, there has been no system breaching or customer data loss. 

Unfortunately this type of attack is happening more often to Canadians, and no business or industry is immune. 

This summer, the City of Saskatoon transferred over $1 million to a scammer who stole the identity of the chief financial officer of a construction company the city works with.

While no disclosures of successful attacks have happened yet, this month the Yukon RCMP are warning people from several communities about fraudulent emails impersonating people’s bosses.

And it’s not just businesses that are targets. The Chartered Professional Accountants of Canada’s annual fraud survey this year found that 53% of Canadians have experienced email fraud. One recent high-profile case was a man from Calgary transferring roughly $800,000 to a scammer impersonating the realtor for a property he was buying in the U.S. 

The scary part about the brewery incident is that it didn’t involve intricate hacks, breaches or malicious software that technology could (hopefully) protect against. People, not machines, were the main attack vector.

Without a strong understanding of cybersecurity fundamentals, people will bring these risks into the workplace. So, how can businesses protect themselves?

Review corporate policies

The first approach to mitigating this threat is to review corporate policies around money and payments. This might include some technology solutions, but it will likely include a review of approval steps and personal workflows. 

For example, the finance department of CHEO, the Children’s Hospital of Eastern Ontario, doesn’t accept email approvals from their chief executive, and instead requires in-person visits to approve spending. 

“Our finance department is now getting a couple of emails weekly from ‘fake me’. So they’re ignoring my electronic messages and doing friendly visits instead,”

Alex Munter
CHEO’s chief executive officer.

Educate employees

It’s also important to implement cybersecurity awareness training for all employees in your organization, so they can be empowered to identify fraudulent requests, impersonated emails, and fake websites.

Cybersecurity awareness training also doesn’t have to be purely about identifying risks — it can also be used to reinforce internal practices and policies. Businesses with a training platform should be enrolling their employees in mandatory courses on the critical processes and policies they need to be following, and make people review them on a frequent basis. 

In our annual cybersecurity survey, we found that only 41% of businesses make cybersecurity awareness training mandatory for all of their employees. Even the most cyber-aware individuals get caught sometimes, which is why ongoing training for everyone is so important.

At the end of the day, a real person initiated these wire transfers inside Waterloo Brewing, and the only way to protect against this type of fraud is to educate the people doing the work and empower them to sniff out when something isn’t right. 

That way, your people can keep the beer drinking to the good times, instead of pouring one out for the millions of dollars they lost to a scammer.

About the author
Jon Lewis

Jon champions the people-side of cybersecurity as the marketing lead for CIRA’s cybersecurity awareness training platform. His background in enterprise data marketing and teaching organizational behaviour at the university level allows him to develop resources for Canadian businesses to help them engage their employees and empower them to reduce their cyber risk.