In an unfortunate incident highlighting the growing threat of supplier scams, Hydro-Québec recently admitted to falling prey to a fraudulent scheme. On July 8, the Crown corporation mistakenly transferred over $450,000 to a scammer posing as one of its suppliers. The fraudster used stolen confidential information to alter the bank details for bill payments, resulting in a payment of $463,968.19 to an unauthorized account.
Caroline Des Rosiers, spokesperson for Hydro-Québec, assured that the utility’s own systems were not compromised, emphasizing that the breach targeted the supplier’s systems. Despite this, the incident underscores a significant vulnerability in the supply chain, as highlighted by cybersecurity experts Claudiu Popa and Steve Waterhouse.
Popa, in an interview with CBC News, explained that this type of phishing scam is increasingly common. Fraudsters either hijack a supplier’s email account or use a lookalike email to request changes in payment details, which often go unnoticed until it’s too late. Waterhouse added that suppliers are targeted due to generally weaker cybersecurity protocols compared to larger organizations.
The experts stressed the need for enhanced checks and balances within organizations. Popa criticized the over-reliance on supply chains managing themselves and suggested regular simulations to test and improve security measures. Waterhouse emphasized the importance of comprehensive training for everyone involved in the supply chain, from suppliers to contract managers.
Hydro-Québec has launched an internal review to identify potential improvements in their procedures. This incident serves as a stark reminder of the need for robust cybersecurity practices and vigilance in monitoring supply chain activities.