OTTAWA – The city’s Audit committee heard how one of their own money experts was fooled by a fraudster in a scam that will cost the city more than $100,000.

Auditor general Ken Hughes told the Audit committee of the fraud at Monday’s (April 8) committee meeting.

Hughes confirmed his investigation found city treasurer Marian Simulik was fooled in to sending roughly US$98,000 from Ottawa’s treasury to a fraudulent account in July 2018.

The phishing email purported to be from city manager Steve Kanellakos, asked Simulik to wire the money to a specified account in order to complete an acquisition on behalf of the city. Simulik sent a few emails back and forth with the fraudster and ultimately signed off on the transfer, with the city’s treasury branch issuing the funds later that day.

Five days later, another phishing email instructed Simulik to send some US$150,000 for a similar purpose, but this time she was attending a city council meeting and was seated next to Kanellakos himself. When she asked him about the email, he said he had no knowledge of the request, at which point both realized the city had fallen victim to fraud.

Simulik then reported the incident to the city’s IT branch, which in turn involved the auditor general. The resultant investigation turned up a similar incident earlier that spring, in which a phishing email purporting to be from the CEO of the Ottawa Public Library requested a wire transfer, but the treasury branch contacted the proper authority and did not act on that scam.

The committee heard there is hope of some of the money being returned due to a related arrest by the United States Secret Service of a suspect now awaiting trial.

Simulik made a statement to the committee expressing embarrassment at having fallen victim to the scam following nearly three decades of treasury work.

Simulik, who is retiring from her post at the end of the year, added she won’t be commenting further while the matter is before the courts. Following his investigation, Hughes concluded there was no fraudulent wrongdoing by Similuk or any other city staff.

Because of this incident, Ottawa is improving its management procedures and cyber security training.

 The city is seeking return of most of the funds from the US authorities, who intervened in the case and froze the bank account of the perpetrators.

The Information Technology Security branch has developed and launched a mandatory corporate-wide cyber awareness training program and has deployed a new email security feature to all city employees that produces a caution banner when an email is received from an address external source to heighten employees’ awareness of spam and other suspicious emails.

The Payment to Vendors Policy and Procedures are being updated to incorporate specific policies and procedures related to wire transfer payments. In the interim, Treasury met with Accounts Payable and the Financial Services Unit (FSU) to confirm that effective immediately, all requests for wire transfer payments will be reviewed and approved by either the FSU or Accounts Payable prior to processing.

City management agrees with all the auditor general’s recommendations in nine detailed audit reports, presented as part of the Auditor General’s Annual Report.

“These audits show strong performance in our management of the Social Housing Registry of Ottawa, contracts and critical services such as the frozen water pipes program,” said Kanellakos. “We will act quickly in areas identified for improvement, such as bringing on more technology and rigorous staff training for cyber security; a challenge that major companies and public organizations around the world are also facing.”