UK private-school fee payments from parents have become one of the top targets for cyber-criminals, especially with invoices for next term being issued over the current weeks.
Cyber|Decider is warning that schools generally, and private school fee payments particularly, are currently popular with cyber-criminals because of the combination of them being large (generally £4,000-£10,000 per term), and the poor cybersecurity at many schools.
The scam typically begins with parents receiving an email giving them payment details for the school fees, perhaps saying these have changed. However, hackers have surreptitiously gained access to the school’s email, usually through an undiscovered phishing attack—in order to divert the payments into their own accounts. They can also set up automatic rules, so responses from parents requesting confirmation of authenticity get diverted to the hackers, and the school doesn’t see them.
The hacker’s bank account is then emptied early in the next term, netting the criminals sometimes tens and often hundreds of thousands from a single school. From each single attack perspective, the amounts stolen are not high enough to warrant a full police investigation, so most fraudsters disappear without a trace and elude prosecution.
“In 2017 we saw schools generally become a big target for cyber-criminals,” said Neil Hare-Brown, CEO at Cyber|Decider. “Their security is often poor, and their fees administration largely undertaken out of their electronic mailbox which is often hosted online, making it easy to hijack.”
He added, “In addition, the parents with whom they communicate generally use webmail, and often from insecure systems. Families and schools are sharing lots of information about payments for fees, trips and everything else, so these mailboxes hold lots of important personal data such as bank and credit card details, passport images, medical and family information. Many schools have moved their email systems online and use payment gateways, but often they use systems that are insecure.”
Also, school staff and parents are easily deceived, and scams operated over the holiday period when schools are closed mean the alert won’t be raised quickly. This gives the criminals time to transfer funds with little chance of them returned.
Clearly, when receiving payment requests from schools or anyone else by email, especially one changing the previous arrangements, parents should be very aware. They should telephone the school on its normal number, and double-check verbally with the school before making the payment.
Schools meanwhile should implement thorough and regular cybersecurity training for all staff, and avoid using generic mailbox accounts. They should also use a payment gateway for payments and a secure communications portal for use in communications with parents in all matters, including school fees. Also, two-step authentication should be implemented on all online systems in use by the school.