Over 90% of all fraud losses in schools start with a phishing attack – so how can you avoid this? Ian Buss, director at Education Banking Consultancy, shares his advice
How comfortable are you that everyone in your school using email can spot a phishing
email? There is no such thing as being too careful when it comes to avoiding fraud in the education sector.
Unfortunately, schools are considered to be easy prey for fraudsters. I suspect you will have
already seen attempts at banking fraud at your school and, hopefully, you will have not lost
any funds. Despite most of us seeing (and stopping) some kind of fraud attempt, fraud
losses incurred by the education sector continue to increase at an alarming rate, with actual
losses almost tripling in a year.
Fraud such as cyber-fraud, identity theft and credit card fraud is now the most prevalent
crime, costing the UK an estimated £190bn a year. I have recently had the privilege of presenting to a number of schools in MATs on the subject of fraud and, despite a wide knowledge that the risk of fraud is high, nearly all schools I spoke to have not put all of their staff through fraud training. As fraudsters get more sophisticated and organised, we all need to be aware of the risks to
the data and funds which our schools control.
Invoice fraud
Around two out of every three pounds lost to fraud in the education sector is in the form of invoice fraud, with CEO impersonation fraud being the next biggest cause of loss.
We have probably all seen fake invoices sent to us in the post, or by email, and most of us
have systems in place to recognise that these are not expected, making such attempts less
successful than they were a few years ago.
These days fraudsters have taken invoice fraud up a level. They are hacking email accounts – your own account, or one of your supplier’s accounts. Once the account is hacked, the fraudsters can sit and wait patiently for the supplier to send you an (expected) invoice. It is at this point they step in and intercept the email and change the invoice bank account details.
Whilst your school may have systems in place to control the change of a supplier’s bank account, these types of fraud do still happen, and the losses can be huge; just recently a local school lost over £40,000 to fraudsters who intercepted and changed a genuine emailed invoice.
CEO fraud
We have probably all seen emails purporting to be from our head or CEO asking us to send
money somewhere. Most of these have similar – but not quite right – email addresses to the real person.
However, with phishing attacks being more sophisticated, resulting in malware being
installed on school IT systems. Fraudsters are taking the opportunity to hack the genuine
email accounts allowing them to send, read and edit all emails. This gives them the opportunity to learn the language used in order to make their fraudulent request for transfer appear more genuine.
We might say ‘this wouldn’t happen to us’ but nearly a quarter of all fraud losses happen this way.
Phishing – think before you click!
So how do fraudsters get access to the IT system to enable them to hack an email account?
Around 90% of successful fraud attacks start with an individual in your school clicking on a
link in an email or web page that then installs malware.
Think about who, in your school, has access to external email; I suspect it is almost everyone. Now ask yourself ‘When did we last give all staff some form of fraud awareness training?’ If your answer is ‘We haven’t’ or ‘Not in the last year’, then the training is overdue.
Practical steps to protect your school
Raise awareness of fraud, and have clear procedures for supplier bank amendments, including the registering of new suppliers.
Conduct regular fraud training and testing.
Never assume a caller/emailer is your bank, supplier or a senior leader – regardless of how much they appear to know.
Remind staff – your bank will NEVER ask for a full password or two-factor authentication codes.
Use two-factor authentication for important logons such as email.
Prevent malware form being installed on your system. Update all security patches on software and do not use removable media such as USB sticks. Keep your virus software and firewalls up to date.
Consider awareness lessons for students on fraud and identity theft.
Education Executive readers can download a free, 30-minute fraud awareness video from:
Be the first to comment