According to Beharry, the transfers were made by low-level staff, and he said the university would change its process to require "secondary and tertiary" levels of approval in the future.

The phishing attack targeted the university's payment department with "an email address that appeared to originate from the vendor" that led staff to "a domain site with the authentic logo and everything," he said.

Law enforcement, working with bank investigators, have traced $11.4 million to accounts in Canada and Hong Kong, and managed to freeze those funds. Beharry said there was a good chance the school would recover that money, although it's unclear how quickly that might happen.

According to The Griff, the school's student newspaper, MacEwan University ran a campus-wide phishing awareness campaign over the last year.