Cyber Incident Victim: Essex Region Conservation Authority

The Essex Region Conservation Authority (ERCA) fell victim to a phishing scam in July 2020, resulting in a total loss of $300,000 CAD. The incident began when an unidentified fraudster sent a "complex phishing email" impersonating an internal ERCA staff member to an employee. This deception led to two unauthorized electronic transfers to falsified bank accounts. The first transaction occurred on July 14, 2020, when $61,876 was transferred. A second fraudulent request followed on July 27, 2020, resulting in a substantially larger transfer of approximately $230,865. ERCA management discovered the fraud on September 3, 2020, nearly seven weeks after the initial transaction.

Upon detection, ERCA immediately reported the unauthorized payments to its financial institution and engaged the Ontario Provincial Police to initiate a criminal investigation. The organization notified its insurer and implemented additional internal financial controls to prevent recurrence. ERCA confirmed its IT systems weren't further compromised beyond the initial phishing attack and committed to reviewing existing processes for potential improvements. The conservation authority clarified that no funds from the Essex Region Conservation Foundation or donor contributions were impacted. Board Chair Kieran McKenzie publicly assured stakeholders that authorities were conducting a full investigation. As of September 4, 2020, the investigation remained ongoing with no public disclosure of suspect identification or fund recovery. The incident highlighted vulnerabilities to social engineering attacks within organizational financial workflows.