Email scams, billing fraud targets Australian schools

12 Feb 2020 Hugh Easton

Invoice Fraud

Fraudsters who use social engineering and scam emails for financial gain are finding schools a softer target than corporations. Their fraudulent activity is so clever it often involves impersonating a supplier with whom a school has an existing business arrangement or contract. They know that schools are less likely to have a dedicated IT department to manage their cyber security matters. The NTT Security 2018 Global Threat Intelligence Report has pinpointed the education sector as the industry most attacked in Australia for cybercrime and fraud.

A typical scam is put into effect when information is used from a hacked computer system, and an imposter supplier advises that their banking details have changed. They often provide notice of a change in banks by using a replicated letterhead and branding to convince you, the recipient, of their legitimacy as your supplier.

The Australian Bureau of Statistics (ABS) data reveals that almost 80% of Australian children aged 5-14 use the internet, and slightly more (85%) are accessing it at school. Cyber-security threats for schools are therefore rapidly on the rise with increasing connectivity each year.

The impact of malicious attacks and fraud can be significant. For schools, financial loss is often less harmful than the reputation damage that may arise from a data breach of personal and confidential information about staff and students. There are also potential safety and privacy concerns for individuals in the aftermath of a data breach. Business disruption may be serious enough that schools need to close for a period of time while they recover access to systems and assess security damage. Students may lose out on lesson time and using online learning tools.

Getting smarter about fraud in 3 steps

Be vigilant. Always scrutinise any requests to make payments to a new bank account number. Always confirm changes to address or account details by speaking to your supplier directly, and simply never trust what is only in writing. A 2019 report about financial crime and fraud was published by McKinsey & Company, and specified that all risks associated with financial crime involve three mitigating measures:

  1. Identify and authenticate what has been presented, look closely at who an email is from and what it’s asking for
  2. Monitor and detect unusual or suspicious activity, and confirm the legitimacy of the sender
  3. Respond to risks and issues carefully, including NOT responding

Using multi-factor authentication for accounts that require administrative level access is a line of defence against unauthorised access to sensitive information. It makes it harder for hackers to access networks by uncovering username and password controls that are not regularly renewed.

Multifactor authentication is the most effective way to protect against cyber-attacks and when used properly can stop a hacker causing havoc in an organisation’s system. It’s a security measure that requires multiple credentials to verify the user’s identity. There are additional steps after providing a username and password, in order to gain access. Commonly a code (or PIN) from a smartphone, facial recognition, a fingerprint, or answering a series of security questions will be requested.

Control who can access data, tools, and applications in your organisation. Not everyone in an organisation requires access to financial and administrative areas of the business. It’s also extremely useful if processes cannot be completed entirely by a single person. Ensure your network activity and data is monitored and that a data leak protection policy is in place, understood by all employees and enforced accordingly.

Phishing is a type of fraud attempt in the form of emails that look like they are from reputable companies. They are used to lure individuals into clicking on them, and once they are opened a type of malware captures information that may be personal and includes passwords and credit card numbers. Phishing emails also trick people into giving out confidential information such as bank account details and credit card information, because they are designed to look genuine and often ask a person to verify their details to resolve an issue in the provision of a service or product. Phishing emails may appear to come from a network provider or bank, for example. Learn more about phishing scams from the ACCC’s Scamwatch.

Confirming that staff understand phishing attacks and how they are used to harvest other sensitive data is essential. The Australian Competition and Consumer Commission (ACCC) has warned consumers never to click on any links or open attachments from emails claiming to be from your bank or another trusted organisation if it asks you to update or verify your details. Delete them instead.

The Little Black Book of Scams by the ACCC outlines the top 10 scams to avoid and gives advice for how to be better protected. Visiting the SCAMwatch website can assist organisations to get free email alerts on new scams.

Fraud attempts are real and persistent and require administrators to remain vigilant when dealing with incoming emails and managing accounts and payments. Phillip Mustey is the Business Manager for St Peter’s College in Melbourne and has firsthand experience of fraud attempts at his school.

“I noticed these fraud attempts when they started in late 2018. Invoice scams came into focus for us.”

“Fraudsters sent an email to our office last year to advise us of a change of bank account details. We could smell a rat. Our accounts payable people always know to check this kind of thing out. We always ring a supplier if there is any change of account details. It’s critical to contact the supplier directly to confirm anything such as this that has come via an email. In this instance, the fraudsters called our school to check we had the new account details, but we were vigilant.”

“On one occasion we had a large landscaping job. It was a $2 million project. Someone hacked into the landscape company’s email account and sent correspondence requesting us to forward funds to a new account. This waved a red flag. In this case it really looked like the email was generated by the supplier. We told the supplier to contact the police and have their IT manager look into their email account.”

He believes that fraudsters look for major construction projects that schools are undertaking.

They must look at tenders and find out what is going on at schools before they target them. Schools need capable, astute accounts payable staff who know that any change of bank account details must be checked by contacting the supplier.

Having the best IT security you can afford will also help to protect a school’s data.

“We have a sophisticated firewall in relation to combating a virus, for example. A strong firewall will make it harder for systems to be compromised. Some scam emails contain links and may get through so it’s important that staff don’t click on links. Staff should check these emails out with their IT people.”

St. Peter’s College has 220 staff and makes educating them about password protection a priority.

“Managing passwords is something that can’t be taken for granted. Data needs protecting and the firewall and our general cyber security helps us to be vigilant. The information we hold is incredibly confidential. I encourage all schools to review their security every year and to have the best cyber security they can afford even though it is really expensive and some smaller schools may find it more difficult to afford.”

Schools need to remember this. Don’t accept anything that is in writing. Don’t become complacent. Fraudsters can even get into a system and generate an email. These attempts are happening more often and the way they do it is very clever.

Fake Australia Post messages are one of the most blatant examples of scamming people into providing personal information. In the lead up to Christmas in 2019, fraudulent delivery messages were sent to Australia Post customers requesting information that included financial details. Messages usually appear with a sense of urgency and urge swift action. These relate to delivery of goods, or warnings such as weather alerts or health warnings, but may have links carrying malware. Such high profile scams have proved very hard to spot, yet scammers continue to prey on the human sense of fear and concern over loss.

Australia Post is one of many large organisations to have advised the public they will never text or email customers with requests for personal information or for payments.


Hugh Easton

As Regional Manager for the North and East, and Education Segment Lead, Hugh develops solutions that meet client needs. Serving the insurance industry for 30 years, he delivers solutions for complex risk issues, in collaboration with colleagues, partners and clients. Hugh’s prescient insights stem from his experience working in general insurance at home and in the UK market.

See all articles by Hugh

Find resources to help manage your cyber risks

Learn More

Subscribe to be kept up‑to‑date on CCI Insights