laptop showing virtual connectivity

Independent schools (and parents) beware of invoice fraud

We are seeing an increasing number of clients fall victim to invoice fraud, commonly this is where a cyber criminal is able to send invoices that look genuine in the hope that they get paid into the criminal’s bank account. Quite a few people have paid what they thought were genuine bills from suppliers only to find they were fake.

Insurance company CFC gives a good example of where it was not the school that was stung but the parents: The bursar of this fee paying boarding school received a believable email from who they thought was Microsoft asking them to login, but was in fact a criminal phishing for details. The bursar obediently entered the login details so he could get on with his work, at which point the criminals now had unrestricted access to the bursar’s computer system.

The criminal used their new found knowledge to send emails to parents offering discounted fees to those who paid early. The criminal cleverly restricted his emails to foreign parents who might be less questioning and, as parents of boarders, they would be paying bigger fees. The deadline also encouraged quick response and a sense of urgency that instinctively removes suspicion. As the criminal had access to all the bursar’s previous documents & emails, the fraudulent email could be designed to look just like all the others. To avoid being spotted by the school, the criminal also set up a separate email account, which looked almost identical to the bursar’s, and sent his emails out from there.

Unfortunately, six parents were tempted by the discount and paid the criminal, thankfully another parent emailed the school admin office to discuss the offer and the alarm was then raised. Two of the conned parents were able to recover their money but the other four could not.

As the school had been responsible for the breach and therefore enabled the crime they refunded the losses – it goes without saying that boarding fees for four pupils are not insignificant.

There are lots of lessons to learn here, including:

  • Use multi factor authentication so one password alone is not sufficient to gain access to your systems.
  • Beware of phishing emails
  • Question and check invoices for authenticity and beware special offers and time deadlines
  • Purchase cyber crime insurance that covers invoice fraud, in particular not just payments you might make but payments your customers are tricked into making.

If you would like assistance or advice on cyber security or cyber crime insurance please contact the Sutcliffe & Co team on 01905 21681 or send us a note