By
2nd Mar 2017

Risk2Value (R2V) have provided details of a pertinent Cyber Crime incident from the education sector. There can be no argument that cyber crime is on the increase. The insurance market has responded well and there are a number of products available to reimburse losses. However, as with some other types of insurance, it is often difficult to offer examples that are relevant to the education sector.

This is a very recent example of a successful attempt to obtain personal data, which was used in a fraudulent manner against a number of employees at an education institution.

Stage 1. A branded and convincing ‘phishing’ email was sent to a number of employees, informing them that they were to receive an increase in salary. Given the current economic situation, the amount of the increase was relatively generous. The email notification was sent in the middle of the month.

Stage 2.The email asked the recipient to ‘click’ into an equally convincing copy of the staff intranet login screen. The employees then signed in and their personal details were passed to the fraudster, just before the web page issued an error message (as it did not actually exist).

Stage 3. The fraudster was able to access each employee’s personal data on the real intranet site. Their bank account details were altered to divert salary received at the end of the month to a third party bank account.

Thankfully, only a small number of the targeted employees responded but the total amount taken was over £20,000.

As an addendum to this case, the bank account used as the ‘mule’ account for this fraud was stolen. The fraudster again sent a phishing email to students, offering lucrative part time work as a ‘fund collector’ to handle payments received from the main fraud. Those students who responded were asked to provide their CV, email address, bank account details (for payments to them), and other personal details. When the funds stolen from the employees were expected to arrive in the ‘mule’ account, the fraudster emailed the individual to arrange transfer to the fraudster’s own bank account.

Lessons Learned
  • Employees should be alerted to the possibility of receiving ‘phishing’ emails and not to click on any link until it has been verified.
  • Employees should not use a single log in to access all authorised parts of the IT system, including their own personal details. A secondary login procedure should be introduced.
  • If a request to change bank account details is received through the payroll system, verbal confirmation should be obtained from the individual concerned. It is wise not to use email or ‘phone for verification, as either could have been compromised as part of the fraud.
  • The employer interrogated data relating to change of bank account information during the month in question. Generally, this is unusual and, in this case, it was found that over 20 employees had done so, including those who had suffered a loss. It is a simple task to complete this check.
  • Where payroll systems will allow changes to bank account details, this function can be closed. Any request for such a change should be dealt with using an alternative method such as an authenticated paper request form.
  • Inform students about phishing emails purporting to offer lucrative work and asking for personal data.

If you would like to find out more about the insurance products available in this area, please do speak to your current broker/insurer for further details.