Fraudsters are placing themselves in the middle of transactions between parents and private schools. The fraudster contacts the parents outlining details and payment instructions for the latest school fees. Initial contact appears to primarily be made via email and often from the school’s own compromised email system. However the NFIB has also seen instances where the email address used is similar to that of the school (i.e. nn instead of an m).
The victim then makes the required payment into the bank account which is in the control of the fraudster. By the time the fraud has been identified, the funds have already been dissipated.
In several instances there has been a strong social engineering element at play within the email, with the fraudster suggesting a discount on the fees can be obtained if the parents pay early.
- Ensure all administration staff are aware of this fraud.
- Ensure staff are aware of protocols regarding not opening links or attachments from unexpected or suspicious emails in the event the email system may get compromised.
- Review password protocols and ensure those that are used are strong, as long as possible and contain a combination of letters as well as numbers and symbols.
- Review internal procedures regarding how the fee payments are requested and ensure these are relayed to the parents so they can easily identify suspicious requests.
- Ensure computer systems are secure and that antivirus software is up to date.
- To help combat “typo squatting” the school could consider registering similar domain names.
- Ensure required security updates to computer systems are completed.
- Consider using a payment gateway for any monies required to be received from parents.
- Always verify email payment changes in respect of payment fees with the school directly using established contact details you have on file, especially for ones which are not expected or for a different amount than expected.
- Always review requests to changes for payment requests. Check for inconsistencies or grammatical errors, such as a misspelt school name or a slightly different email address.
- Don’t be afraid to verify details when being asked to make fee payments into a new bank account.