Someone pretended to be Hamilton police — it led to a fake story about cryptocurrency theft

'It fell apart … where the police corroborated a story that wasn’t real,' says cybersecurity expert

Image | Hamilton police

Caption: The police service issued a media release on Wednesday afternoon saying it is investigating to find out who sent the email. (Bobby Hristova/CBC)

Editor's Note: The original version of this story was removed from publication and rewritten because it described an investigation that was later found to be false. Details of the alleged investigation had been confirmed by the Hamilton Police Service prior to publication. Police later explained to CBC News that their email was spoofed. This article has been updated.

The Hamilton Police Service says someone "spoofed" the email address it uses to communicate with the media — leading to a fake story about cryptocurrency theft that police say gained international attention.
The service alerted newsrooms on Wednesday, two days after CBC Hamilton received an email about a reported cryptocurrency theft from what appeared to be the police department's public affairs email account.
A federal government web-page(external link) says spoofing is when a cyber criminal disguises "malicious communication or activity as something from a trusted source."
"For example, a scammer may send you an email from an address that resembles a colleague, friend or trusted company. At first glance, the email may seem real, but the scammer is hoping that you click on a link, open an attachment or give up personal information."
Jackie Penman, spokesperson for the police service, told CBC Hamilton by phone on Wednesday morning, "We know it wasn't hacked, it was spoofed."
The police service issued a media release on Wednesday afternoon saying it is investigating to find out who sent the email.
"Impersonating a police officer is a criminal offence," the police said.
"Hamilton police recognize the public's trust in the police is very important and incidents like this can cause the community to second guess police communication."

Fake info was about cryptocurrency theft

CBC Hamilton received the email in question on Monday, from what appeared to be the same address police regularly use to send news releases and answer questions from journalists.
The email told the tale of a joint investigation between Hamilton police, the Federal Bureau of Investigation (FBI) and the United States Secret Service Electronic Crimes Task Force.
It said two teens tricked an American into giving up $4.2 million in cryptocurrency.
The email CBC received didn't contain any links or attachments.
CBC sent followup questions to the same email address before publishing a story to confirm details of the case. The questions were about the teenagers' ages, genders and arrest dates. CBC received emailed answers from a media relations officer with the police service.
Const. Indy Bharaj confirmed he was the media officer who responded to the followup questions. The Hamilton Spectator(external link) reported police forwarded the email with the fake information to one of its reporters, thinking it was genuine.
One of the followup answers CBC received Tuesday stated the teens were arrested in 2020 — despite the fact the initial information Monday stated the investigation took place this summer. Hamilton police had shared a media release in 2021(external link) about a similar investigation in 2020 — a case the Monday email referenced.
"There was confusion because we believed we were referencing a case from 2021," Penman said Wednesday.
Police followed up early Wednesday morning, saying they were looking into the case. Several hours later, they told CBC that the information sent Monday was in fact false.

Spoofer's motives confuse expert

CBC has contacted Ontario's information and privacy commissioner to confirm if it is aware and investigating the incident.
The office of the privacy commissioner said Wednesday afternoon it hasn't been notified of the incident and hasn't received any complaints.
"If a public institution in Ontario, such as a police service, has experienced a breach, or suspected breach, involving the personal information of individuals, we expect them to contact our office as soon as reasonably possible."

Image | Ann Cavoukian

Caption: Ann Cavoukian, former privacy commissioner of Ontario, calls the Hamilton police spoofing incident 'frightening.' (Joe Fiorino/CBC)

Ann Cavoukian, the former privacy commissioner, was reached by phone Wednesday. She said the spoofing incident is "frightening" and these cases are "rampant."
Cavoukian initially said the spoofed email was a sign there's a vulnerability within the police service's cybersecurity. However, she clarified she meant whoever perceived the email to be real should be increasing efforts to better identify spoof emails — in this case, both CBC and police.
"We all have to be on guard," she said, adding police should be focusing their efforts on tracking down the spoofer.
Cat Coode, founder of Ontario-based cybersecurity firm Binary Tattoo, said what happened isn't a cybersecurity issue for the police service or anyone involved.
She said it's akin to a crank call, or someone putting another person's name on mail and sending it out.
Coode also said given the email was all text, she is baffled by the spoofer's motives.
"In terms of the cyber part of this, nobody did anything wrong … you had every reason to believe it was legit," she said.
"It fell apart … where the police corroborated a story that wasn't real."