This article appeared in the December/January 2020 issue of Education Executive Magazine
Admit it. You’re an easy target.
Don’t worry, it’s not just you, all schools are considered to be an easy target for fraudsters. In fact, fraud losses incurred by the Education Sector increased by 280% from 2017 to 2018.
In wider society, the Office of National Statistics estimate that over 3 million adults were victims of fraud in 2018. Despite these facts, nearly all schools I talk to have not put their staff through fraud training.
As fraudsters get more sophisticated and organised, we all need to be aware of the risks to the data and the funds our schools control.
Around 2 out of 3 fraud losses in the education sector are in the form of Invoice Fraud with CEO impersonation fraud being the next biggest cause of loss.
Invoice Fraud
We have probably all seen fake invoices sent to us in the post or by email and most of us have systems in place to recognise that these are not expected, making this route less successful than it was a few years ago.
These days fraudsters are hacking email accounts which could be either your account or one of your supplier’s accounts. Once the account is hacked, the fraudsters can sit and wait patiently for the supplier to send you an (expected) invoice. It is at this point they step in and intercept the email and change the invoice bank account details. Whilst your school may have systems in place to control the change of a supplier’s bank account, these types of fraud do still happen, and the losses can be huge.
There was a well-publicised case in summer 2019 of a primary school on the south coast losing £19,000 of funds raised by parents to improve playground facilities. They were expecting the invoice, but fraudsters had hacked an email account and changed the account details. The money has long since been transferred abroad.
CEO Fraud
Getting an email from the CEO or a senior member of the team requesting an ‘urgent payment’ is an extremely common and frequent occurrence in schools. Mostly these are spotted as the language used in the email doesn’t match that of the person the email is supposed to have been sent by. Again, fraudsters are getting more sophisticated. Instead of creating a similar email address to their target, they are now hacking the email accounts of the school and watching email conversations happen there by learning the language used in order to make their fraudulent request for transfer appear more genuine.
We might say ‘this wouldn’t happen to us’ but nearly a quarter of all fraud losses happen this way.
A more recent development of this type of fraud is a social engineering method known as “deepfake voice fraud’ This is a fraudster using quite new technology to imitate and fake the voice of a senior leader such as the CEO. This has already seen a large PLC lose around £250,000 through staff being convinced they were talking to their real CEO. It is only a matter of time before this type of fraud becomes more mainstream.
Vishing
Vishing is common but becoming more sophisticated with fraudsters using easily sourced information on their victim and their role to create belief that the victim is being called by a bank official or person in authority with the sole purpose to manipulate them into giving a fraudster access to computer systems or to transfer money to a fraudsters account. Fraudsters are now using ‘spoofing’ techniques to show a legitimate and known telephone number on caller ID systems to add credibility to their story.
Phishing - Think before you click!
So how do fraudsters get access to the IT system to enable them to hack an email account?
Around 90% of successful fraud attacks start with an individual in your school clicking on a link in an email or web page that then installs malware.
Think about who, in your school, has access to external email. With nearly everyone in schools having access, all staff need to be trained on the risks. Many organisations now ‘test’ their staff on a regular basis by sending emails from an external unknown account that encourage staff to click on links. This can be a good way of checking risks and identifying staff that may need refresher training.
Money Mules
Of course, when criminals are successful in stealing funds through fraud, they need a bank account to transfer it to. Banks continue to make it more difficult for criminals to set up accounts, so they need to gain access to existing ones. To do this they recruit ‘Money Mules’ and, more often than not, they will be targeting children (as young as Key Stage 3) with social media adverts promising ‘easy money working from home’ and ‘get rich quick’ schemes. They offer them a small percentage of the funds if they let them be transferred through their account.
Children are often blinkered and only see that they might make some easy money. The reality is that they become a Money Mule. A criminal. Money Mules risk prosecution, a prison term and a criminal record making a future career difficult.
Practical steps to protect your school
· Raise awareness of fraud and have clear procedures for supplier bank amendments
· Conduct regular fraud training and testing
· Never assume a caller / emailer is your bank, supplier or a senior executive (regardless of how much they know!)
· Remind staff – your bank will NEVER ask for a full password or 2-factor authentication codes
· Use 2-factor authentication for important logons (e.g. email)
· Prevent Malware (update all security patches on software, do not use removable media (e.g. USB sticks), Keep Virus software and Firewalls up to date)
· Consider awareness lessons for students on fraud, identity theft and Money Mules
I’d like to think we are great at screening physical visitors to our schools, usually requiring signing in, ID and the wearing of a pass before being let through a locked access door. We need to apply at least the same vigilance on our digital visitors.
If you would like trining available to all your staff at no cost, please register fro our Free Webinar Training Sessions - https://www.educationbanking.co.uk/banking-fraud-schools