Beware of fraudsters
Procedures for dealing with apparent suppliers must always be robust as new forms of fraud continue to provide ingenious tests for schools’ protection. Ian Buss reports
There is no such thing as being too careful when it comes to avoiding fraud in the education sector. Don’t worry, it’s not just you that’s being targeted, you’re in good company. All schools are considered easy prey for fraudsters and I suspect you will have already seen attempts at banking fraud at your school – and hopefully you won’t have lost any funds. Despite most of us seeing – and stopping – some kind of fraud attempt, fraud losses incurred by the education sector continue to increase significantly. Across the UK as a whole, the Office of National Statistics estimates there to have been around 3.5 million fraud offences in the year to March 2023.
Despite it being common knowledge that the risk of fraud is high in the independent sector, nearly all schools I’ve spoken to have yet to put all their staff through fraud training. It’s not just the finance team that need awareness training, everyone with external email access should receive it.
As fraudsters get more sophisticated and organised, we all need to be aware of the risks to the data and the funds our schools control.
The majority of fraud losses in the education sector are in the form of invoice fraud.
We’ve probably all seen fake invoices sent in the post or by email and most of us have systems in place to recognise that these are not expected, making these attempts less successful than they were a few years ago.
These days, fraudsters have notched invoice fraud up a level. They are hacking email accounts (which could be either your account or one of your supplier’s accounts). Once the account is hacked, the fraudster waits patiently for the supplier to send you an (expected) invoice. At this point they step in and intercept the email, changing the invoice bank account details. While your school may have systems in place to control the change of a supplier’s bank account, these types of fraud still happen, and the losses can be huge.
There was a well-publicised case in summer 2019 of a primary school on the south coast losing £19,000 of funds raised by parents to improve playground facilities. The school was expecting the invoice, but fraudsters had hacked an email account and changed the account details. The money has long since been transferred abroad.
The school had a system in place to identify changed bank accounts for suppliers, but this invoice was from a new supplier and the bank details weren’t set up on the school’s system prior to receipt of the invoice.
When I become a ‘supplier’ to schools, the vast majority of schools will email me a new supplier form. Worryingly, only one school called me after I’d completed it to check the emails hadn’t been hacked and my details altered.
Fraudsters are aware that schools usually call to check any banking details that have been updated and have started to pre-empt. I’ve seen losses where a fraudster has emailed the school from the supplier’s hacked email account with a change of telephone number. After a week or two, the fraudsters can send a doctored invoice knowing that the phone call to check the banking details will be made to the new number they supplied just a few weeks earlier.
Chief executive fraud
Getting an email purporting to be from the chief executive (or head) requesting an urgent payment is an extremely common and frequent occurrence in schools. Mostly these are spotted as the language used in the email doesn’t match that of the person the email is supposed to have been sent by. Again, fraudsters are getting more sophisticated. Instead of creating a similar email address to their target, they are now hacking the email accounts of the school and watching email conversations happen. This gives them the opportunity to learn the language used in order to make their fraudulent request for transfer appear more genuine.
We might think that this wouldn’t happen to us, but up to a quarter of all fraud losses in business happen this way.
A more recent development of this type of fraud is a social engineering method known as ‘deepfake voice fraud’. This is when a fraudster uses technology to imitate and fake the voice of a senior leader such as the head. This has already seen a large PLC lose around £250,000 through staff being convinced they were talking to their real chief executive. It’s only a matter of time before this type of fraud becomes more mainstream.
Vishing is a type of cyber attack that uses voice and telephony technologies to trick targeted individuals into revealing sensitive data to unauthorised entities. It is common but is becoming more sophisticated with fraudsters using easily sourced information on their victim and their role to create belief that the victim is being called by a bank official or person in authority with the sole purpose to manipulate them into giving a fraudster access to computer systems or to transfer money to a fraudsters account.
Fraudsters are now using spoofing techniques to show a legitimate and known telephone number on caller ID systems to add credibility to their story.
Phishing occurs when criminals use scam emails, text messages or phone calls to trick their victims. So how do fraudsters get access to the IT system to enable them to hack an email account? Around 90% of successful fraud attacks start with an individual in your school clicking on a link in an email or web page that then installs malware.
Consider which personnel in your school have access to external emails. With nearly everyone in schools having access, all staff need to be trained on the risks. Many organisations test their staff on a regular basis by sending emails from an external unknown account that encourage them to click on links. This can be a good way of checking risks and identifying staff who may need refresher training.
Of course, when criminals are successful in stealing funds through fraud, they need a bank account to transfer it to. Banks continue to make it more difficult for criminals to set up accounts, so they need to gain access to existing ones. To do this they recruit ‘money mules’ and, more often than not, target children, often as young as 13 or 14, with social media adverts promising “easy money working from home” and “get rich quick” schemes. They offer them a small percentage of the cash if they let funds be transferred through their account.
The duped children think they might make some easy money. The reality is that they become a money mule – a criminal. Money mules risk prosecution, a prison term and a criminal record, making a future career difficult.
Practical steps to protect your school
- Raise awareness of fraud and have clear procedures for supplier bank, telephone and email amendments (including registering new suppliers).
- Conduct regular fraud training and testing.
- Never assume a caller/emailer is your bank, supplier or a senior leader, regardless of how much they know.
- Remind staff – your bank will never ask for a full password or two-factor authentication codes.
- Use two-factor authentication for important logons (for example, email).
- Prevent malware – update all security patches on software, don’t use removable media, for example, USB sticks. Keep virus software and firewalls up to date.
- Consider awareness lessons for pupils on fraud, identity theft and money mules.
Most schools are effective at screening physical visitors, usually requiring signing in, ID and the wearing of a pass before being let through a locked access door. We need to apply at least the same vigilance to our digital visitors.
Ian Buss is director of Education Banking Consultancy.