Waterloo Brewing has lost millions in an impersonation scheme, an incident the company described as a “social engineering cyberattack” by a sophisticated third party. In its November 21, 2019 media release, the Kitchener firm announced that the attack occurred earlier this month and it has not yet recovered any of the $2.1 million wired to the fraudulent third-party account.
“This is a very common attack,” said Professor Florian Kerschbaum of the Cheriton School of Computer Science. “It’s probably one of the most successful attacks because the damage is very, very high.”
Waterloo Brewing has launched an investigation into its accounts and computers. The brewery doesn’t believe any of its systems were breached and says the personal information of its customers was not compromised. Experts say schemes like these are hard to spot because they rely on human interactions.
“The attackers really know who they need to impersonate, who they need to talk to, what amounts they can request,” said Professor Kerschbaum, who is also the executive director of the University of Waterloo’s Cybersecurity and Privacy Institute. “They’re very capable of constructing a believable lie.”
While Waterloo Brewing is taking measures to recover the missing money, there is no guarantee whether all or a portion of the misappropriated funds will be returned.
“Usually these people have intermediaries,” said Professor Kerschbaum. “People who are not afraid of legal penalties and therefore they can send the money via means that are no longer traceable.”