Thursday, July 02, 2015

Phishing: should you be worried of cyber fraud?

1.    What exactly is ‘phishing’?

The text book definition is: “the illegal attempt to acquire sensitive information such as usernames, passwords and account details often for malicious reasons by masquerading as a trustworthy entity in electronic communication”.

2.    What are the worst cases of online fraud/phishing that you’ve heard of?

Victims of phishing may be shy. But we do know that schools can fall victim to online scams.  St Aldhelm's Academy in Poole was contacted by fraudsters pretending to be bank employees and asking about the school's bank account. Staff provided the requested details and the criminals withdrew over £1million. The academy subsequently suffered the ignominy of national press coverage and a financial notice to improve from its funder and regulator, the Education Funding Agency.

3.    What advice would you offer schools wanting to avoid falling victim to online fraud?

Complacency is the greatest threat. Many of us will have had a poorly spelt and badly worded email from a United Nations official or the widow of a recently deposed dictator.  These missives asking for help in transferring funds are often safely redirected straight to our junk filters. However, we must not assume all phishing emails are so blatant. Increasingly, scammers are raising their game and making their emails more professional and hence believable.

4.    What are the most common online scams?

Attempts – both online and offline - to redirect payments from legitimate suppliers to fraudsters appear to be the most common scam in the education sector. There have been increasing reports in recent years of both successful and failed attempts to defraud schools and colleges as well as other not-for-profits.

While technology allows fraudsters to go phishing on an industrial scale, some of the most effective scams have been offline exploiting our innate trust in paper.  There have been several recent cases where BACs electronic payments have been made directly into fraudsters’ bank accounts after correspondence on convincing letterheads asked for the bank details of suppliers to be changed. In 2010 Oldham Sixth Form College transferred £730,000 after receiving such a letter.

Sometimes the fraudsters supplement their paper letters with fake websites as part of the scam.

5.    How can schools tighten up their online security?

While schools should have robust cybersecurity, common sense and caution are essential too. Never give information to your bank which your bank should already know. If in doubt, speak to your bank manager. Always verify verbally any paper or electronic request to change supplier bank details with known contacts. Above all, take care!