Safeguarding education - mitigating cyber fraud risks in the digital age

29 January 2024

In today's digital age, technology plays a pivotal role in the education industry as it helps deliver learning, administrative tasks, and stores sensitive data. While this digital transformation brings numerous benefits, the reliance on it introduces many cyber fraud risks such as phishing attacks and data breaches. Cyber criminals adapt constantly, exploiting vulnerabilities to gain unauthorised access to valuable information.

We explore the various cyber fraud risks faced by the UK education sector and provide insights into effective mitigation strategies. By understanding these risks and implementing robust cybersecurity measures, educational institutions can protect themselves, their staff, and their students from the consequences of cyber fraud.

Phishing attacks

Cyber criminals execute social engineering attacks by sending educational establishments authentic-looking emails with corporate/official logos, intended to trick organisations into revealing sensitive information. This can lead to data breaches or financial losses.

There are several types of phishing frauds that cyber criminals use to deceive individuals and steal their sensitive information. Some common types of phishing frauds are outlined below.

Email phishing

Common fraud involving deceptive emails posing as legitimate entities.
Emails containing links or attachments leading to fake website or malware.

Spear phishing

Targeted phishing collecting personal information.
Emails will appear trustworthy and often mimic someone the individual knows.

Smishing

Deceptive text messages (SMS phishing) tricking individuals into disclosing information.
Messages that pose as trusted sources, urging immediate action.

Vishing

Phishing over the phone (voice phishing) where cybercriminals impersonate legitimate organisations.
The use of social engineering to deceive individuals into revealing sensitive information.

Pharming

Involves redirecting individuals to fake websites without their knowledge.
Manipulates Domain Name Systems (DNS) settings or uses malware to redirect users to fraudulent sites.

Whaling

Phishing targeting high-profile individuals, like CEO’s.
Uses personalised and convincing emails to extract sensitive information.

What can the education sector do to protect itself?

Always be vigilant and cautious when dealing with emails, text messages or phone calls especially if the individual requests personal information or prompt immediate action:

always verify the source before providing any sensitive information or clicking links;
conduct regular training on the latest phishing techniques for staff and students;
advise staff and students to be cautious when opening questionable emails or links, anything suspicious should be reported; and
implement email filtering systems to detect and block phishing attempts.

Ransomware attacks

This is a significant threat not only to the education industry but globally. There have been a number of documented ransomware attacks over the past few years with the Department of Education noting it as the most reported cyber threat altogether. Ransomware is a type of malware, introduced to a network through a sophisticated phishing or social engineering attack.

When the malware is in the network the attacker will target critical data for encryption and demand a ransom for decryption of the data. A recent evolution of this, is where the attack involves threats to publish compromised data unless the ransom is paid.

Common targeted data includes:

financial systems;
personal identifiable data;
intellectual property;
student coursework;
staff personal records; and
MIS/SIMS databases.

What can the education sector do to protect itself?

Regularly back up data and store it offline, to mitigate ransomware impact. Additionally, ensure that systems and software have the latest security patches and employ robust antivirus and firewall solutions.

Insider threats

Risks from within the organisation, involving malicious or negligent actions by staff or students. This can include intentionally leaking sensitive information or accidentally causing security breaches.

Types of insider threats that can occur within the education sector are:

unauthorised disclosure of information;
altering of grades and/ or coursework marks;
intentional or un-intentional alteration of personal and/or sensitive information;
compromising safeguarding information;
access to financial records and/or staff payroll details; and
launching a Denial of Service (DoS) attack on the network of the educational establishment.

Students wanting to ‘test’ their skills within an establishment may pose an insider threat, with some tempted to profit from selling their access credentials to external attackers. This presents a risk to the educational establishment.

What can the education sector do to protect itself?

The implementation of strict access controls, regularly reviewing user privileges, and providing cybersecurity training to staff and students can help raise awareness about the risks of insider threats. Monitoring systems can also help detect any suspicious activities.

Mandate fraud

This often stems from a compromised email account, usually through phishing. The fraud occurs when the attacker contacts the victim claiming to be from an organisation that they would make regular payments to.

The attacker sits on a compromised email account monitoring the traffic, waiting for the opportunity to change bank payment details on an invoice.

The attacker will often set up forwarding rules on a compromised email account to intercept communication without being noticed.

What can the education sector do to protect itself?

Organisations can take several steps to protect themselves against mandate fraud, also known as CEO fraud or business email compromise. Below are some key measures to consider.

Employee awareness and training

Educate employees about mandate fraud and tactics.
Train them to be vigilant and sceptical, especially regarding urgent or unusual financial requests.
Be aware of requests involving changes to payment instructions or large sums of money.

Verification procedures

Implement strict verification procedures for financial transactions.
Establish a multistep process, including verbal or face-to-face verification with the requester.

Secure communication channels

Encourage the use of secure communication channels (encrypted email or secure messaging) for sensitive transactions.
Avoid unsecure channels like regular email to prevent compromise.

Strong internal controls

Implement robust internal controls and segregation of duties.
Require multiple approvals for high-value transactions or changes to payment instructions.

Two-factor authentication

Enable two-factor authentication to all financial systems and accounts to add an extra layer of security.

Regularly update security measures

Keep software, systems, and security measures up to date with the latest patches and updates.

Vendor and supplier verification

Establish a process for verifying new vendors or suppliers before making payments.
Conduct thorough due diligence, checking credentials, reputation and contact information.

Incident response plan

Develop an incident response plan outlining steps for reporting incidents, contacting law enforcement and communicating with affected parties.

Monitor and analyse financial transactions

Regularly monitor transactions for suspicious activity.
Implement systems/software to detect unusual patterns or deviations from normal behaviour.

Payment fraud

With the increasing use of online payment systems in the education sector, there is a risk of payment fraud. Cyber criminals may attempt to steal payment card information or use fraudulent methods to make payments.

What can the education sector do to protect itself?

Implementing secure payment gateways and encryption technologies can help protect against payment fraud. Organisations should regularly monitor financial transactions for suspicious activity and provide guidance on secure payment practices.

Data breaches

Educational institutions hold a vast amount of personal and sensitive data, making them attractive targets for cyber criminals. A data breach can result in reputational damage, financial losses, and legal consequences.

What can the education sector do to protect itself?

Implementing strong data protection measures, such as encryption, access controls, and regular security audits, can help mitigate the risk of data breaches. It is also crucial to have an incident response plan in place to quickly respond to and contain any breaches.

A holistic cybersecurity approach, integrating education technology, and policies, is essential for mitigating cyber fraud risks within the education industry. Regular updates to security measures, risk assessments and staying informed about emerging threats enables organisations to stay ahead of cyber criminals.

Should you wish to receive any further information or discuss any part of this article, please contact Andrea Deegan or Richard Curtis.