Guidance for Wiltshire schools considering converting to academic status under the Academies Act 2010
Clerks Mailings - January 2019
DL and Accessibility Strategies
Strategy documents for Wiltshire disadvantaged learners, and Accessibility and inclusion.
Cyber Crime, Phishing e-mails and Sextortion
Messaging from Wiltshire Police Digital Investigations and Intelligence Unit (DIIU) We have been made aware of a significant amount of phishing emails that are currently targeting educational institutions. The threats include CEO Fraud, Sextortion and mandate fraud. CEO Fraud will typically start with an email being sent from a fraudster to a member of staff in the school/company’s finance department. The staff member will be instructed by the fraudster who is purporting to be the CEO/headmaster to quickly transfer money to a certain account for a specific reason. The member of staff will do as their boss has instructed them to do so, only later to find out that they have sent money to a fraudster. What makes this believable to the staff member is that the email looks like it comes from the CEO/Headmaster because it is ‘spoofed’. Spoofing is where an email displays like it has come from an address you know but the real address it has come from is hidden behind. Protect against CEO Fraud. • Ensure all staff, not just finance teams, are aware of this fraud • Have a system in place that allows staff to properly verify contact from their CEO/Headmaster or senior members • Look for misspellings in email address or hover your mouse over the email address to see if the actual email the message has come from is displayed • Consider what information is public available about your business/school and whether it needs to be • Ensure computer systems are secure and antivirus is installed and up to date Sextortion refers to a form of online blackmail where you are threatened with the release of sexual images or video unless you pay a fee to the fraudster. What we have been seeing are sextortion phishing emails. These emails threaten you, saying they have captured images/videos through your webcam or browsing history, but in actual fact they have nothing. It’s a pure phishing attempt into scaring people into handing over money. Recently we have seen these phishing emails containing a password. This password will be one that you have previously used so the scam becomes a little more believable, but they have got the password from a data breach and not from you directly. The newest trend with sextortion phishing emails is that they include a link that supposedly contains proof of the images or videos. Clicking this link won’t show you proof but will in fact lead to ransomware being downloaded onto your computer. Protect against sextortion phishing • Don’t pay the ransom, you should never pay the ransom. • Don’t click on any links, you should never click on links in unsolicited emails • Don’t respond to the email • Stop using the password mentioned, it was involved in a data breach and is now compromised. Mandate fraud is when someone gets you to change a direct debit, standing order or bank transfer mandate, by purporting to be an organisation you make regular payments to. You may be contacted by someone pretending to by one of your suppliers and told they have changed their bank and could you amend the direct debit to reflect this. Next month you are contacted by the genuine supplier asking what has happened to the regular payment and this is when you will notice. It is very likely that these emails are phishing attempts, but sometimes this could mean an email account could have been breached and the scammer intercepted emails. You should speak with your IT teams to identify breaches and secure your systems. Protect against mandate fraud • Look at the email address you were contacted by, look for slight misspellings as this is a common trick to make it look like it has come from the genuine supplier • Always verify changes to financial arrangements with the organisation directly using established contact details • Check bank statements carefully and report anything suspicious • Make sure colleagues, particularly those involved in finance, are aware of mandate fraud Reporting Fraud You can report phishing attempts by visiting https://www.actionfraud.police.uk/report-phishing If you are the victim of any type of scam or cyber crime then report it to Action Fraud, the national reporting centre for fraud and cyber crime, by visiting https://www.actionfraud.police.uk/ or calling 0300 123 2040.