Figures suggest that discovered fraud in the schools sector was likely in the region of around £1 million last year. The primary objective of this article is to raise awareness of one of the highest fraud risks currently affecting schools – bank mandate fraud.
This type of fraud is delivered via social engineering and seeks to exploit a lack of fraud awareness and the goodwill of staff in following (false) orders from the headteacher.
This article seeks to explain the problem, how fraudsters are currently attacking school finance systems, and how headteachers can bolster their systems and raise awareness.
According to the National Fraud Intelligence Bureau, bank mandate fraud, which they also refer to as CEO fraud, is seeing a marked increase, especially where schools are being targeted.
So how does it work?
A school is targeted by a fraudster who purports to be the headteacher or principal. The fraudster contacts a member of staff with responsibility for authorising financial transfers and requests a one-off, often urgent, bank transfer to be made. The amounts requested have been between £8,000 and £10,000.
Contact is made by email and from a spoofed or similar email address to the one the headteacher would use. Spoof email addresses may appear identical to legitimate email addresses or may have been specially set up to look very similar.
Protecting yourself
First and foremost, staff should obviously look out for emails purporting to be from the headteacher requesting urgent payments to be made for significant amounts. Staff should always scrutinise email addresses to spot spelling mistakes and such like.
More generally, headteachers should work towards creating a robust anti-fraud culture within their schools. Key staff should be encouraged to challenge any payments or requests that seem unusual/suspicious. Anti-fraud training and raising these issues at senior leader briefings, which are then disseminated to all key staff, is essential in improving the security culture generally.
Awareness and training are absolutely key in preventing this type of fraud as are embedding correct financial procedures. Staff should be told to never make urgent payments based solely on an email. Either face-to-face or telephone confirmation should be sought from both the supplier in question and also the headteacher or other allegedly requesting the payment to be made.
Making key staff accountable through robust procedures is also a key element in maintaining security. Job descriptions, one-to-ones and the appraisal process itself should reflect this accountability and leave no-one in any doubt as to their role in preventing, detecting and flagging fraudulent transactions.
More strategically, headteachers should review all processes which are currently in place to verify the legitimacy of suppliers and changes to their payment details. Contact details for suppliers should be kept in a centrally held register – this means you know the name, details and phone number of the supplier in question so that any alleged request for large payments or changes to bank details can be independently verified.
Another key element in prevention is the awareness pertaining to how schools deal with sensitive information. In particular, sensitive information which is posted publicly needs to be risk-evaluated in case fraudsters can get hold of the names, email addresses and titles of key finance staff and other key inside information. Similarly, the secure shredding and disposal of sensitive information is essential.
Effective gatekeeping in terms of the HR recruitment process can also play a vital part in preventing corporate fraudsters from gaining employment within your school. ID verification training is a key element in this effective gatekeeping.
Finally, it is important to inform staff that email addresses can be easily spoofed to appear as if they are from someone legitimate. Unexpected or unusual emails should be treated as such and flagged. Under no circumstances should the hyperlinks or attachments to these emails be opened.
What can you do if one of the scams gets through? Schools should create procedures so that should such a scam slip through, everyone knows their role in taking urgent and immediate action to avoid financial losses. Key contacts should be established at the school’s bank, who can freeze any payments if urgent fraud referrals are made.
All school headteachers and finance staff should subscribe to the Action Fraud website fraud bulletin service. This has been designed to keep everyone informed as to the latest scams affecting the country generally and school specifically.
- Dave Verma was one of the UK’s first anti-fraud managers and lectured at the Metropolitan Police Detective Training School for 12 years. He is currently a lead consultant working with headteachers and schools to identify their financial risks and prevent fraud. Visit https://daveverma.com