Phishing: should you be worried of cyber fraud?

1.    What exactly is ‘phishing’?

The text book definition is: “the illegal attempt to acquire sensitive information such as usernames, passwords and account details often for malicious reasons by masquerading as a trustworthy entity in electronic communication”.

2.    What are the worst cases of online fraud/phishing that you’ve heard of?

Victims of phishing may be shy. But we do know that schools can fall victim to online scams.  St Aldhelm's Academy in Poole was contacted by fraudsters pretending to be bank employees and asking about the school's bank account. Staff provided the requested details and the criminals withdrew over £1million. The academy subsequently suffered the ignominy of national press coverage and a financial notice to improve from its funder and regulator, the Education Funding Agency.

3.    What advice would you offer schools wanting to avoid falling victim to online fraud?

Complacency is the greatest threat. Many of us will have had a poorly spelt and badly worded email from a United Nations official or the widow of a recently deposed dictator.  These missives asking for help in transferring funds are often safely redirected straight to our junk filters. However, we must not assume all phishing emails are so blatant. Increasingly, scammers are raising their game and making their emails more professional and hence believable.

4.    What are the most common online scams?

Attempts – both online and offline - to redirect payments from legitimate suppliers to fraudsters appear to be the most common scam in the education sector. There have been increasing reports in recent years of both successful and failed attempts to defraud schools and colleges as well as other not-for-profits.

While technology allows fraudsters to go phishing on an industrial scale, some of the most effective scams have been offline exploiting our innate trust in paper.  There have been several recent cases where BACs electronic payments have been made directly into fraudsters’ bank accounts after correspondence on convincing letterheads asked for the bank details of suppliers to be changed. In 2010 Oldham Sixth Form College transferred £730,000 after receiving such a letter.

Sometimes the fraudsters supplement their paper letters with fake websites as part of the scam.

5.    How can schools tighten up their online security?

While schools should have robust cybersecurity, common sense and caution are essential too. Never give information to your bank which your bank should already know. If in doubt, speak to your bank manager. Always verify verbally any paper or electronic request to change supplier bank details with known contacts. Above all, take care!

Fraud in Schools - what can be done?

In July news emerged of an investigation into an alleged fraud at a London academy after £4million of school funds disappeared. The case was kept under wraps for two years while parents were asked not to speak to reporters although hawk-eyed readers of the Department for Education’s annual accounts for 2012/13 might have noticed oblique references to an “irregularity” at the Haberdashers Aske’s academy trust. The case is believed to be largest school fraud in British education history.

While school managers might expect to notice and stop millions of pounds being siphoned off, schools are at risk from fraud perpetrated by those on the inside and the outside. Complacency - “it could never happen here” – worsens that vulnerability.

A perusal of Google news over a month or two will unearth cases of schools falling victim to managers signing off fake timesheets, finance assistants using cards to pay for holidays and heads appointing friends and family without due process. There are many more con artists outside trying to defraud schools – last year a solicitor was jailed for his part in tricking a sixth form college into paying over £730,000 intended for a genuine contractor into a bogus bank account.

While fraud risks cannot be eliminated, schools can mitigate them. A few simple steps can help:

1.       Get the tone from the top right

School leaders need to lead by example and emphasise probity. That means a fraud policy with zero tolerance of irregularity. There should be a register of interests for governors, senior managers and other staff with significant financial authority or influence. Similarly there should be a policy on gift and hospitality. Everyone should know about these policies – where to find them and what they require. 

2.       Assess risks and mitigate them

The identification, assessment and management of fraud risks should be covered by school risk registers – particularly in the risky area of purchasing.  There is plenty of free guidance available online including fraud risk self-assessments. The Chartered Institute of Public Finance and Accountancy recently published a Schools Fraud Health Check. Simple checks and balances with segregation of duties and independent review of transactions are effective in mitigating risks. This is more challenging for smaller schools, particularly primaries. However, there is normally a second pair of eyes, even if it is a governor, who can ensure that there is never too much reliance upon one member of staff.

3.       Look out for risk indicators

Both the Education Funding Agency and the Audit Commission have published advice on fraud risk indicators. The Commission’s list of behavioural warning signs included: reluctance to take holiday entitlement; poor work practices such as “bending rules”; a lifestyle not equal to income. There may be innocent reasons for strange behaviour but sometimes these can be indications of a staff member with something to hide. 

4.       Use data

While there are software packages to highlight strange patterns in financial data, a spreadsheet is sometimes enough to spot anomalies. A key check to perform is looking at the top dozen or so suppliers over the last year compared with previous years – does it make sense? There may be nothing untoward about using the same suppliers or contractors again and again. But, on the other hand, it may be a sign of an overly cosy or even inappropriate relationship with a supplier. (Aside from fraud risks, this simple review of spend patterns may identify value-for-money opportunities.)

5.       Welcome whistleblowing

Appropriate arrangements for confidential reporting are not only a legal must-have, whistleblowing is vital defence against fraud and other wrong-doing. Staff must know where to find the whistleblowing policy. The policy itself should link into the governance framework, including those elements perceived as most independent e.g. the audit committee, the internal and external auditors.

Are schools doomed to be scammed?

Before the National Fraud Authority ended up on the Coalition’s bonfire of quangos it did a lot of work on raising awareness of fraud. One of its major projects was estimating the total value of fraud in the economy – everything from “blue badge” parking abuse to multi-million VAT fraud. Before the NFA disappeared, it published Annual Fraud Indicators which estimated the loss to the economy of fraud to be £52billion (pdf available).

What has that number got to do with schools? In one month the press reported:

·         Arrests following concerns over the use of£162,000 at an academy following an Education Funding Agency report.

·         Finance staff giving away bank details in response to a phishing email with a subsequent loss of £1m

·         A school bursar being convicted of signing-off fake overtime claims with a loss of £18,000

·         A former head being found to have fallen below the standards expected of school leaders for his involvement in the recruitment of a family member which "breached the expected standards of transparency".

Much detected (and obviously undetected) fraud does not get into the papers. The 2012/13 Department for Education accounts mention a £2m “irregularity” at one academy chain – a Google suggests that the case never got into the press.

The NFA cautioned against its estimates being used for identifying trends. But is fraud getting worse? Quite possibly: while staff will generally be honest and public-spirited, after years of pay freezes and 1% rises, a minority may be demoralised and feel squeezed;  many organisations are struggling to cope with financial pressures so some managers may be tempted to bend rules; greater autonomy for schools creates opportunities but not all are positive.

Are schools doomed to be scammed? In fact, schools can protect themselves through simple steps. But the first step is to recognise that fraud is an issue.

 

 

Later this month I am talking at EdExec Live about how schools can protect themselves. Tickets are still available.

EFA asks academy principals and boards to think about fraud

Today the chief executive of the Education Funding Agency sent a letter to accounting officers (i.e. principals) at all academies in England. It reminded them of the requirements in relation to fraud, connected parties and special payments.

The letter included an annex setting out questions for principals and trustees to consider in order to minimise the risk of fraud or irregularity:

• Authority – Do you have a written scheme of delegation, approved by the trustees, so that individuals are clear about their levels of financial authority?
• Purchasing – Are you confident you are procuring all goods and services in an open, competitive and transparent way?
• Payroll – Do you have robust controls for payroll including checks that payments are for the right amounts and paid to bona fide employees?
• Oversight – Do you ensure that financial reports are produced that fairly reflect the activity at the trust, that they are properly reconciled at least monthly and are shared regularly with the trustees for formal review?
• Cash management – Are your bank accounts reconciled at least monthly?
• Assets – Is all of the trust’s property under proper control and measures in place to prevent loss or misuse?
• Segregation – Do you have appropriate separation of responsibility in your finance team? And are you providing proper management support to your finance staff to help them to operate in a role where they are well-placed to provide you with a “first line of defence” in terms of upholding propriety, regularity and value for money in the use of public funds?
• Records – Do you have robust procedures for recording, documenting, evidencing and monitoring information and especially the reasons for entering into major spending commitments?
• Scrutiny and audit – Do you have properly constituted arrangements for internal review (such as a responsible officer or internal auditor) to give you and trustees a further safeguard that the trust’s financial systems and controls are operating effectively and efficiently? Does the trust debate, and agree how to act upon, recommendations arising both from these internal reviews and from the work of its external auditors?
• Risk – Do you have an effective process for identifying and responding to the major risks that the trust faces?

These are all basic and sensible measures.

Next month I will be talking about fraud risk at the EdExec Live conference. I will be explaining what more academies can do to protect themselves from fraudsters both inside and outside their organisations.

EFA tweaks fraud reporting requirements for academies

In the New Year academies may not have noticed a subtle change in the Education Funding Agency’s requirements for fraud reporting.

The Academies Financial Handbook in para 3.9.2 still states:

All instances of fraud or theft committed against the trust, whether by employees or trustees or third parties, above £5,000 must be reported by the trust to the EFA. Any unusual or systematic fraud, regardless of value, must also be reported.

But in January the EFA decided to change the requirements for fraud as they affecting the 16-19 bursary fund and noted on its website:

We have reviewed the advice given to institutions on the threshold for reporting cases of significant fraud to the EFA. The threshold has now been reduced from £5000 to £1200 to reflect the amounts of funds that institutions typically pay to students. Institutions must now report any suspected 16 to 19 bursary frauds of £1200+ to the EFA.

All academies should have fraud policies (as well as whistleblowing policies and fraud response plans). They (and other 16-19 provider) need to make sure their next update of their fraud policies reflects this lower threshold.

Fraud in schools - some thoughts on the DfE's risk indicator checklist for academies

Allegations, fraud, corruption and bad behaviour have been in the news. A knighted Headteacher was convicted of false accounting and narrowly missed a custodial sentence for false accounting. A free school was being investigated after allegations of irregularities. Derby University was forced to strongly deny claims that it falsified official statistics on graduate employment.

Also this week Times Higher Education carried an article about a Transparency International report which warned financial pressures could impact on ethical standards. Global Corruption Report: Education noted:

The very structure and culture of colleges and universities, as well as the current constraints under which many…operate, can create conditions that facilitate fraud.

This makes it timely to look at the recently published guidance from the Department for Education (DfE ) on fraud. Last month the Education Funding Agency at the DfE issued Fraud Indicators: A checklist for academies (download here).

The Fraud Indicators checklist details “generic” indicators including “personal and organisational motives for fraud, possible weakness of internal controls, transactional indicators and possible methods of committing and concealing fraud”. The DfE suggest that the checklist “may be helpful for use as a checklist where concerns exists that fraudulent activity may be taking place”.

It would be easy to mock the section headed Personal Motives – many organisations would show a red flag on fraud indicators such as “personnel believe they receive inadequate compensation and/or rewards”, “disgruntled employee”, “recent failure associated with specific individual” and “personal animosity or professional jealousy”. Nevertheless these soap opera indicators do highlight that in the fraud triangle motivation and rationalisation sit with opportunity.

Under the heading of Organisational Motives, how many of us have known organisations “experiencing financial difficulty”, burdened by “under unusually tight time deadlines to achieve level of outputs” or having “suffered disappointment/reverses/consequences of bad decisions”.  Still the checklist is right to point to the problems which arise from an all-powerful head and governance which lacks clarity and direction. How many schools are dominated by Heads with Maxwell-sized egos.

Flippancy aside, this is all useful stuff. However, as with all self-assessments, they are treated most seriously by those who are least in need of reflection and criticism.

The checklist sets out what poor policies, procedures and practices look like. The document is fairly comprehensive. One area where the checklist says little is audit. It notes that critical audit reports and obfuscating auditees are fraud indicators. But what about where managers do not put in place robust internal audit arrangements and/or where governors let weak internal audit arrangements persist. The Principal’s PA or a governor without the time and skills to be an internal auditor is never enough.

Also it is worth noting that the checklist focuses on fraud risks internal to academies. There are plenty of external risks – and organisations tend to pay more attention to them (even if, not enough).

So what is my conclusion? If you are a manager, governor, internal or external auditor, spend some time working through the Fraud Indicators: A checklist for academies. If enough academies do treat fraud risks more seriously, academy assets and public funds will be better safeguarded as will the reputation of the sector.

The National Audit Office on risks in academies

Over the summer the National Audit Office published guidance to the external auditors of academies. The guidance, NAO Communication with academy auditors 2013, has been issued as the academies are consolidated into the “group accounts” of the Department for Education – so academy auditors are auditing parts of the DfE.

The guidance will be fascinating for audit anoraks. It will also be of interest to anyone many others including principals, senior managers, governors and ROs/internal auditors. The short guide highlights what the auditors at the NAO worry about.

We … consider, because of the number and variety of providers, there is an inherent risk that across the academies sector there could be material or systemic irregularity, which may be heightened in newly converted academies. Particular areas of concern include:

• Approval from the Secretary of State not being sought for certain transactions above delegated authorities, outlined in the academies financial handbook;
• Fraud or misappropriation of funds, especially at the Trust level in a multi academy trust; and
• The increasing risk that academies with long standing deficits may become insolvent.

Fraud and insolvency are of wider public interest too.

In terms of regularity (i.e. income and expenditure being applied, in all material respects, for the purposes intended by Parliament), the NAO advise:

• There are a number of themes which the auditor should consider when identifying the risk of irregularity. These themes include:
• Misuse of funds by head teachers (i.e. using academy funds for personal gain);
• Governance at multi academy trusts (i.e. oversight of activities of individual academies, or weak controls at the trust level)
• Weaknesses in procurement (i.e. non-compliance with EU procurement rules, or employment/contracting with related parties)

Clearly audit and assurance are vital to keeping academies on the right track – and spotting problems if they do start to go off the rails.

Fraud Friday: some scams in the news

Maybe it’s a sign of the times or the phase in the business cycle, but fraud seems to everywhere. Its not just the freshly sentenced former minister Elliot Morley who dishonestly claimed more than £30,000 in parliamentary expenses in what the judge deemed was not a very sophisticated fraud.

Third Sector reported yesterday that the Charity Commission had found that the Director and chair of an education charity not only stole £245,000 from two charities but also made fraudulent payments for training and other activities.

When trustees abuse their position it can be difficult for other employees to know and stand in their way. However, it is disturbing that the charity failed to submit audited accounts for two financial years. Trustees really should pay attention. Too often trustees place undue reliance on their more financially literate colleagues - maybe this happened here.

The headline on this week's Inside Housing is: Landlords targeted by electronic con. In fact the scam does not seem that technological: housing associations seem to have fallen for fake letters requesting changes to supplier details.

Last month the Young People's Learning Agency issued a fraud alert to colleges and academies which warned:

All Academies and sixth form colleges are asked to be vigilant when dealing with notifications of changes of bank account from their suppliers, and if necessary to review their procedures for dealing with changes. The YPLA has been notified of an alleged attempted fraud in which an apparently genuine change of bank details for a supplier (a building contractor) was notified and acted upon. The notification was subsequently been discovered to be false once the genuine supplier raised a query over a missing payment.

The police are currently investigating this incident – the YPLA has been informed that similar attempts have been made elsewhere in the country

While most people are wary of emails and phone calls - particularly the most amateur of 419 scams such as those highlighted on the 419eater website - too often people accept a piece of paper if it is signed and looks official.

Is fraud rocketing? Even if it isn’t, what should you do about it?

Last week Public Finance was reporting that levels of fraud rocketed during 2010. There is plenty of media coverage of fraud. This week I joined in tweeting a link to a
blog about Portsmouth University and MacIntyre Hudson’s survey of public sector fraud.

It is worth emphasising that the Public Finance’s report was based on KPMG’s Fraud Barometer which tracks fraud cases in UK Crown Courts. So detected fraud is “soaring” – is actual fraud up?

Recessions, credit crunches, austerity, etc have a tendency to expose financial chicanery. Just ask Max Madoff. I am sure that Bob Maxwell would agree.

To borrow a great quote from Warren Buffett and use it in a different context:

It's only when the tide goes out that you learn who's been swimming naked.

Of course, total – detected and undetected – fraud may be up too – in line with media coverage. For example, some of the squeezed middle may resort to white collar crime in hard times. Media coverage may even have a copycat effect – MPs are not the only ones who may be susceptible to the feeling that if colleagues’ snouts are in the trough, they should no be missing out. Experts point to need, opportunity and justification driving fraud - "others doing it" offers a self-justification for some.

Organisations should treat the fraud threat seriously. They should ensure that internal audit allocate sufficient days to fraud detection using IT tools as well as addressing fraud risks as an integral part of other audit reviews.

Risk management “a must” – not least for social housing

Today’s Financial Times has a Special Report on Risk Management and how it is “a must for decision-makers during uncertainty”.

The lead article on Difficult decisions on how to stay safe surveys key business risks in this recession. It struck me how many of the risks have a particular salience for social housing providers: supply chain, fraud, remuneration, cashflow.

Last Sunday’s Observer had an article about housing associations being ripped off with “soaring losses” and “rocketing fraud”. The sensationalism aside, there is a need for social landlords to be awake to fraud risks, including those associated with development.

Not all that glitters is a Golden Peacock: Satyam’s prize for corporate governance

As a film fan I am wary of judging a film by the number of Oscars that it scoops (or not). My scepticism has been confirmed today when I learned that the scandal hit Indian out-sourcing giant Sayam won a Golden Peacock award from the World Council on Corporate Governance.

I think this may devalue Golden Peacocks – not that they had a very high profile before. It’s not the first embarrassed accolade – Enron scooped a prize and praise for its risk management.

Football charity’s £440k own goal

This month the Charity Commission have published the results of their inquiry report into the Footballers’ Further Education and Vocational Training Society. An office manager at the training charity made unauthorised cash withdrawals of £444,400 over more than a decade.

The inquiry report should perhaps be required reading for all trustees (and certainly for audit committee members). It concluded:

It is important that trustees should work closely with their senior employees to ensure that their charities’ governance frameworks and internal control systems remain fit for purpose, especially during periods of rapid growth.

The report went on:

The Commission does not expect trustees personally to check every management decision taken, or every financial transaction, but trustees should ensure that there are procedures in place which allow them to monitor performance effectively and, especially, to identify discrepancies and system failures as soon as possible after they occur. It should not be assumed that every lapse will be spotted and put right by the annual audit.

Its worth noting that a civil action was brought by the charity against its external auditor although this was eventually settled out of court.

Maintaining trust: PIs, partnering and housing associations

According to the BBC, the Housing Corporation has launched an investigation after 5 Live Report alleged that it had uncovered evidence that a leading housing maintenance firm had falsified performance figures.

The case does raise some questions on how housing associations can be sure that performance information is reliable. I would certainly suggest that associations:

1. Periodically commission external validation of performance indicator systems whatever the future of social housing regulation is. (I declare an interest - I do PI system validation.)
2. Ensure that their audit committees (and, hence, their internal auditors) do consider the robustness of PI information - including PI collected by contractors and used to monitor partners

The alleged problems do make the case for associations (and other not-for-profits) creating a culture that stresses ethics both in within the organisation and in what is sometimes called the "extended enterprises" - not least suppliers and partners. Whistleblowing policies are a key part of this.

Profile of a fraudster - internal controls, financial loss and reputational risk

I do applaud the work of the KPMG sponsored Audit Committee Institute. It provides a useful resource for audit committee members in the private, public and third sector (and those involved in corporate governance outside audit committees) even if a lot of its work is focused on big private sector entities. In the latest Audit Committee Quarterly published by the Institute there is an interesting article on the profile of a fraudster.

Based on a major study of fraud cases by KPMG International, the research finds that 85 percent of fraudsters are male. The typical fraudster is aged between 36 and 55. By the time he starts enriching himself by illegal means, he has usually been employed by the company for six or more years. He typically works in the finance department and commits the fraud single-handed. In 86 percent of cases he is at management level – and in two thirds of cases he is a member of senior management. Greed and opportunity are his motivating factors.

Some of that isn’t new. But it is a useful reminder of how tighter internal controls, more widely publicised fraud reporting mechanisms and an anti-fraud culture are important. They are normally worth it. Total financial loss caused per fraudster was more than 1m euros in almost half the cases in the study.

Amongst the cases KPMG analysed, in Europe the highest proportion occurred in the public sector (29 percent of cases). That is fairly in line with the rest of the economy given the size of Europe’s public sector. It shows that the professional ethos, caring professions, the relative absence of "profit motive", etc can't entirely innoculate the public sector from fraud and the less desirable aspects of human nature.

The article doesn’t refer on reputational damage but that can be significant - perhaps potentially outwearing financial loss, sometimes aggravating it. An American accountant at a large not-for-profit was convicted of fraud associated with funding a dominatrix. No one likes to drop their coins into a collecting box if it will end up in an accountant being whipped or walked over in stilettos.