Parents with children in private schools have become the latest target of cybercriminals hoping to divert school fee payments of thousands of pounds into their own accounts.
This recent article in The Telegraph by Amelia Murray explains how this issue has become a growing, but under-reported issue.
Always check the payment details
Once parents have secured a place at a fee charging school they will receive termly invoices detailing the fees due for the forthcoming term, along with any extras due from the previous term.
Usually, along with the invoice there will be details of the school’s bank account enclosed which should be the one used previously.
Unfortunately, however, cyber-criminals have been able to obtain email details of parents and have sent them fake invoices with what purported to be ‘new’ school bank account details.
High fees, often between £4,000 and £10,000 a term, and poor online security make schools attractive to fraudsters.
It’s also what looks like one of those ‘victim less crimes’, leaving the Police with nothing to follow-up.
Few schools immune to attack
Neil Hare-Brown, of Cyber|Decider, a cyber risk specialists, said he had investigated incidents at six private schools in the last two-and-a-half months which have made claims on their insurance following cyber attacks.
He said he believes this is “just the tip of the iceberg” and warned that many schools may have had their mailboxes compromised without realising.
The Information Commissioner’s Office confirmed it was aware of at least one case where a private school’s system had been attacked.
In many instances, the school’s computer systems were either out of date or did not have the latest software or security updates.
Poor security routines
Sometimes, however, documents that should have been secure may have been left in folders within their system, folders that any hacker could access quite easily.
Then, it would simply be a matter of emailing those parents on those school lists, and requesting they amend payment details and the funds would begin to roll in.
The procedure is similar to that used to divert funds away from legitimate Solicitor’s bank accounts when making a house purchase.
Personal details of parents, staff and children, can also be sold on to other criminals to be used in identity fraud scams.
Parents who receive an email requesting payment into an alternative account should call the school direct to confirm the correct details, rather than respond to an email.
Check & verify
It’s best to also obtain the telephone number from an alternative source, such as previous correspondence they might have received, rather than relying upon the latest paperwork in case that has been falsified.
A small sum, such as £1, could be initially paid before telephoning for confirmation to ensure it has gone into the right account.
If you’ve believe you’ve paid money to a fraudster ring your bank straight away.
Then ask them to contact the recipient bank to freeze and claw back the funds and then contact Action Fraud, the UK’s cybercrime reporting service.
Mr Hare-Brown said schools had become a “big target” this year as criminals have caught wind of the huge amount of personal information they hold with relatively lax security measures in place.
Have you been affected?
Have you been scammed by a fake email or invoice requesting you direct payments to a new account?
If so, were you able to have any or all of your payments returned?