Shortly before noon on June 17, someone attempted to access banking information belonging to two Canadian prime ministers at the Royal Bank of Canada.
The person succeeded in viewing current Prime Minister Mark Carney’s information, and attempted to access former prime minister Justin Trudeau’s.
But the perpetrator wasn’t a hacker that had wormed his way into the bank’s IT systems. It was one of RBC’s own employees, a 23-year-old client adviser named Ibrahim El-Hakim working out of a branch near Parliament Hill, police allege in court documents.
The employee’s workstation, housed within a gleaming office tower at 99 Bank St., was under video surveillance, according to court documents. And his activity in RBC’s internal sales portal was being tracked by the bank, which monitors employees’ access of customer accounts.
The allegations against Mr. El-Hakim, which have not been proven in court, are the latest example of a pervasive problem facing Canadian banks and other institutions: the threat that someone inside the organization could abuse their access to critical systems and data.
A rogue employee can do considerable damage to an organization, from committing fraud to stealing sensitive information to letting hackers into the network. Sometimes rogue employees have been recruited by organized crime groups, as police believe was the case with Mr. El-Hakim.
The repercussions for companies can be devastating. Reputational damage can ensue, as can lawsuits, financial losses and even blowback from regulators. And it’s not only banks that are affected.
“Any major corporation has information that is worth money,” said David Coffey, a detective in the Toronto Police Service’s financial crimes unit.
Police investigations involving company insiders are becoming increasingly common, Mr. Coffey said. “We often come across internal threats. It’s not the norm, per se, but it’s certainly not unusual.”
More than 70 per cent of the 32 Canadian organizations that participated in a recent survey experienced at least one incident involving an internal threat in the past year, according to a report published earlier this month by Deloitte Canada and the Canadian Insider Risk Management Centre of Excellence. The most common insider threats experienced involved the theft of personal information, followed by the theft of intellectual property. Organizations also reported experiencing fraud, sabotage and foreign interference stemming from internal threats.
Incidents involving insiders have also become costlier for organizations, according to the Ponemon Institute’s most recent annual global survey. The total average annual cost of an insider incident rose to US$17.4-million last year, up from US$16.2-million in 2023, according to the report from the Michigan-based research firm.
Insider threats are top of mind for Canadian banks, according to experts. The industry is discussing the issue with government agencies such as Canada’s financial crime watchdog.
The Financial Transactions and Reports Analysis Centre of Canada generates “extensive guidance and indicators” to help businesses identify the laundering of proceeds from various types of crimes, FinTRAC spokesperson Darren Gibb said in a statement.
“As part of these efforts, the Centre is working collaboratively with Canada’s large banks to help combat different forms of insider abuse,” Mr. Gibb added.
The financial sector “has the best insider risk management programs in Canada at the moment,” said Victor Munro, executive director of the Canadian Insider Risk Management Centre of Excellence.
Over all, however, the country is lagging the United States and Australia when it comes to tackling insider threats at a systemic level, Mr. Munro said.
“What we’re seeing in insider threat right now in Canada is still this reluctance to admit that organizations have been victim to insider threat attacks. So that causes a challenge, not just for the industry, but also … to conduct research on how bad is the phenomenon in the Canadian experience,” he said.
A rogue RBC employee allegedly abused his employee access by attempting to view the private banking information of Prime Minister Mark Carney and former prime minister Justin Trudeau.
Justin Tang/The Globe and Mail; Sean Kilpatrick/The Canadian Press
‘I would have asked for more’
As is often the case, Mr. El-Hakim, who no longer works at RBC, wasn’t acting alone, according to an affidavit from an RCMP officer filed in court. He’d been lured into a broader fraud scheme by someone on Telegram using the alias AI World, which police believe is a group linked to organized crime. The Telegram user asked him to create banking profiles and use them to obtain credit cards, which were subsequently maxed out. According to RBC’s internal investigation, the total credit-card fraud amounted to $68,500.
Banks are particularly attractive to criminals looking to place or recruit insiders, Mr. Coffey said. “Bank employees are the gatekeepers and they have a lot of potential for doing harm,” he said.
In April of 2024, Toronto police made 12 arrests and laid 102 charges in connection with a synthetic-identity fraud ring that led to $4-million of losses. One of the people charged as a result of that investigation, which police dubbed Project Deja Vu, had worked at three different banks over three years, opening accounts using synthetic identities, according to Mr. Coffey. (Synthetic identities are created by blending real details with fake ones to create false identities.)
The insider, Mueed Tanveer, pleaded guilty last month to one count of theft over $5,000, received a 16-month conditional sentence and paid $15,000 of restitution, Mr. Coffey said.
South of the border, the U.S. Department of Justice has charged former TD Bank employees, accusing them of accepting bribes in exchange for laundering drug money and opening bank accounts. The U.S. Department of Justice’s case against TD revealed that criminals routinely deposited stacks of U.S. dollars at various branches in the New York borough of Queens.
A TD Bank branch in the heart of Flushing, Queens, in New York City. Last October, TD pleaded guilty to conspiracy to commit money laundering.Stephanie Keith/The Globe and Mail
Insider threats extend to sectors beyond banks. Telecom employees can, either wittingly or unwittingly, facilitate fraud by porting a customer’s phone number to a SIM card controlled by a scammer in what’s known as a SIM card swap. The criminal is then able to reset passwords to the victim’s e-mail, banking or other online accounts by using SMS-based two-factor authentication.
In July, hackers messaged a BBC reporter through Signal and offered to cut him in on a ransom payment if he helped them gain access to the public broadcaster’s systems.
One particularly widespread insider scheme involved North Koreans posing as remote IT workers to secure jobs at more than 100 American companies. Once employed, the North Koreans not only received salaries – they also gained access to sensitive company assets such as U.S. military technology and virtual currency, the U.S. Department of Justice said in June as it announced actions it had taken to dismantle the scheme.
Canadian authorities, including the RCMP, have warned companies to be on the lookout for remote workers deployed by the North Korean government, stating in a July advisory that “employing these individuals could result in legal consequences under Canadian sanctions, expose your organization to data theft and corporate espionage and indirectly contribute to North Korea’s weapons of mass destruction and ballistic missile programs.”
Sometimes criminals recruit insiders in person, for instance by befriending a bank teller, Mr. Coffey said. But more often it’s by messaging many people online until someone bites, similar to a phishing campaign.
“Everybody’s using Telegram because it’s anonymous,” said Chris Mathers, a former undercover RCMP officer and president of consulting and investigative firm Chris Mathers Inc.
Andréanne Bergeron, a security researcher at Montreal-based threat intelligence firm Flare Systems Inc., said a quick scan of the dark web revealed 15 threads in which threat actors were seeking insiders for jobs. Seven were specifically looking for Canadians, including within law enforcement, telecommunications and Canada Post.
For insiders, the motivations are usually financial. An employee who has developed a gambling or drug addiction and owes money to loan sharks, for instance, can more easily become compromised, Mr. Mathers said.
Mr. El-Hakim was paid $500 each time he completed a request from AI World, police allege. In total, he received $5,000 in payments to his accounts at Toronto-Dominion Bank and Canadian Imperial Bank of Commerce, according to court documents. (Representatives of CIBC and TD declined to comment on whether they provided information about Mr. El-Hakim’s accounts to FinTRAC or law enforcement.)
To Ms. Bergeron, the payments that Mr. El-Hakim received seem low considering that the crime could not have been committed without his help.
“I would have asked for more,” she joked.
However, there’s likely a psychological aspect at play, she added. “Maybe it normalizes the transgressions; it makes the employee feel like it’s not a big crime, because it’s not a big sum,” she said.
Once an employee has complied with one illegal request, their past actions can be used as leverage against them, making it difficult for them to turn down future requests, she added.
The stolen data can be used to extort or scam the victim, or sold on the dark web, Ms. Bergeron said.
When foreign adversaries plant or compromise insiders within government agencies, sensitive intelligence belonging not only to Canada but also to its allies in the Five Eyes community — Canada, the United States, Britain, Australia and New Zealand — can be at stake, Mr. Munro said. One of the more prominent examples of this in Canada occurred more than a decade ago when Jeffrey Delisle, a sub-lieutenant in the Royal Canadian Navy, sold secrets to the Russians. (Mr. Delisle pleaded guilty.)
For banks, the fallout resulting from a rogue employee can be disastrous, said Alana Scotchmer, a partner who specializes in financial services regulation at Gowling WLG. The reputational damage can cause a significant hit to business, while lawsuits from those harmed by the incident can be costly, she said. Breaching the Personal Information Protection and Electronic Documents Act can result in fines, and if the Office of the Superintendent of Financial Institutions becomes concerned that the bank in question isn’t managing risk appropriately, it might require the company to keep more cash on hand for lawsuits and regulatory fines.
“Even when these things happen rarely, they can have huge consequences,” Ms. Scotchmer said.
Insider threats are top of mind for Canadian banks, as well as companies in other sectors like telecom.Fred Lum/The Globe and Mail
‘Unavoidable exposure’
It’s “nearly impossible” to fully eliminate insider risk, Ms. Scotchmer said.
Employees will always require a certain level of access to corporate systems to do their jobs, which creates “unavoidable exposure,” Mr. Munro said.
Still, measures can be taken to reduce the level of risk.
Nathalie Bergeron, a spokesperson for the Canadian Bankers Association, said banks invest heavily in technology, security, employee training and privacy management programs to keep information secure.
“Safeguards are in place, in compliance with applicable privacy laws and employee rights, to monitor employee activity, protect against fraud and financial crime, while having robust processes to escalate any irregular activity to the appropriate authorities,” Ms. Bergeron said in a statement.
“At the same time, banks continue to adapt to a rapidly changing threat landscape, using several lines of defence to safeguard their clients’ personal and financial information,” she said, adding that financial institutions are working closely with one another as well as with government, regulators and law enforcement to share intelligence and combat threats.
To effectively combat the threat of rogue employees, organizations should have dedicated insider risk programs, said Mr. Munro, who is completing a PhD on insider threat mitigation at Carleton University. Some also employ technology such as user, entity and behavioural analytics, or UEBA tools, which use machine learning to identify and flag anomalous employee behaviour.
However, unlike in the U.S. and Australia, Canadian government entities aren’t mandated to have dedicated insider risk programs. While the policies in those two countries apply to the public sector, the private sector has adopted them as best practices, Mr. Munro said.
Organizations can also take steps to limit the damage that could ensue from an insider attack, Mr. Coffey said. For instance, telecoms facing a flood of fraudulent SIM swap transactions introduced limits to the number of SIM card changes that an employee could facilitate.
“They made changes,” Mr. Coffey said. “The banks will have to make changes, too, or else they’re all going to have egg on their face.”
Open to work
Mr. El-Hakim has not yet responded to the allegations against him. However, police allege that he admitted to participating in the fraud scheme during a June 27 interview with RBC’s director of security. He allegedly showed the security director his Telegram conversation with AI World and allowed him to take a photo of it, which is included in the court filing. After he’d been hired in 2022, he completed training on employee ethics and protecting personal information, according to court documents.
During a brief court appearance Wednesday, Mr. El-Hakim’s lawyer, Ronald Guertin, called the RCMP investigation “rather involved,” and said he is still awaiting further disclosure from the Crown. The next hearing in the case is scheduled for Nov. 5.
Mr. Guertin did not respond to a request to comment for this story.
A LinkedIn profile belonging to someone named Ibrahim El-Hakim who fits the ex-RBC employee’s description indicates that he graduated from Carleton University in April, 2024, with a bachelors of economics, accounting and finance.
In addition to the client adviser role at RBC, the LinkedIn page lists a sales consultant position at Virgin Plus, a subsidiary of BCE Inc., starting in 2021.
BCE spokesperson Ellen Murphy said Mr. El-Hakim left Virgin in 2023, and that there are “no indications of fraud of other such issues” from his time at the company.
The LinkedIn account has a photo depicting a young man with a neat haircut and a mustache and goatee, wearing an untucked, collared grey shirt. He’s standing outside, smiling, his hands in his pockets as he gazes off to the side. The photo looks to have been taken at night.
Along the bottom is LinkedIn’s green banner indicating that he’s open to work.