Case study. School fees fiasco. Parents mistakenly pay tuition fees to a fraudster impersonating a private school

Please download to get full document.

View again

of 6
3 views
PDF
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Document Description
Case study School fees fiasco Parents mistakenly pay tuition fees to a fraudster impersonating a private school Educational establishments have typically seen their cyber exposure in terms of the risk
Document Share
Document Transcript
Case study School fees fiasco Parents mistakenly pay tuition fees to a fraudster impersonating a private school Educational establishments have typically seen their cyber exposure in terms of the risk of suffering a data breach. This is due to the fact that they will often hold sensitive data on both students and their parents and are aware of the potential regulatory obligations that a breach of that data might impose upon them. However, educational establishments shouldn t see their cyber exposure as being exclusively about data and privacy risk. Funds transfer fraud whereby fraudsters dupe innocent businesses and individuals into transferring what they believe are legitimate payments to fraudulent bank accounts is becoming an increasingly common problem for most modern organizations, and this includes those operating in the education sector. In an insurance context, most cyber policies with crime cover in place will provide some form of protection for situations where policyholders lose their own money in this way. For example, if a fraudster manages to impersonate a school principal and gets a member of the finance team to send a payment over to a fraudulent bank account, the policyholder s business will have suffered a financial loss. Usually, this loss can then be recovered under their cyber policy. However, it s not always the policyholder s business that suffers a loss in this way, but the policyholder s customers. Customer payment fraud describes a situation in which a business is impersonated by a fraudster, who then dupes some of the business s customers into making payments to a fraudulent account. One of our policyholders affected by such a loss was a private, tuition feepaying school responsible for educating year olds. The school in question has boarding facilities in place and attracts students from many different countries around the world. Lack of multi-factor authentication lets fraudster in The scam began when the school s bursar, the individual responsible for managing the financial affairs of the school, fell for a credential phishing . Credential phishing s are used by malicious actors to try and trick individuals into voluntarily handing over their login details, typically by directing them to a link that takes them through to a fake login page. In this case, the bursar received an from what appeared to be Microsoft, stating that if he wanted to continue to use the account without interruption, he would have to validate his account details online. Not wanting to face any disruption to his work, the bursar clicked on the link provided, which took him through to an authentic-looking landing page where he inputted his login details and gave no further thought to the matter. Despite appearances, however, the landing page was actually fake, and the bursar had unwittingly volunteered his login details to a fraudster. What s more, his account didn t have multi-factor authentication in place, so the fraudster was then able to access the account remotely and gather valuable information. In particular, the fraudster was able to locate a spreadsheet stored in one of the bursar s folders containing a list of addresses for the parents of current students, which was typically used for distributing general messages and updates from the school. Did you know? MFA is an authentication process that is used to ensure that a person is who they say they are by requiring a minimum of two pieces of unique data that corroborates their identity. Most cases of business compromise could be prevented by implementing it. Scam initiated with offer of discount Having spotted an opportunity, the fraudster moved on to the next stage of their scam. Their first step was to set up an address that looked substantially similar to the bursar s, but with the addition of an extra letter to the address line. So instead of it The next step was to carefully select which parents to target. Rather than adopting a scatter gun approach and ing every parent on the list, the fraudster specifically selected parents based overseas. This was presumably done not only on the basis that such parents are more likely to be paying both tuition and boarding fees (thereby making them more lucrative targets), but also in the belief that overseas parents might be more likely to fall for the scam and less likely to raise the alarm to the school. deadline for payment in place, after which the discount would expire. Social engineering attacks rely on manipulating and exploiting typical human behaviours, and in this case the fraudster was clearly aware that the scam would have a better chance of success if the parents were provided with a financial incentive to make the payment within a set time frame. In addition, the was well thought through and included a number of features to make it appear more authentic. For example, not only did the fraudster use proper spelling and grammar and include the bursar s genuine signature, he also went on to state that if the student was unable to complete the academic year for whatever reason, then the fees would be reimbursed on a pro-rata basis. With the targets selected, the fraudster sent out an relating to the payment of school fees. The began by outlining what the annual fees for tuition and boarding amounted to, but then stated that parents would be eligible for a discount of up to 25% if they paid for the spring and summer terms in one lump sum as opposed to paying separately at the start of each term. To add a sense of urgency to making a payment, the then went on to say that there was a School s security breach puts parents out of pocket Unfortunately, this offer proved to be too tempting for some and six parents fell for the scam, transferring the tuition and boarding fees over to the fraudulent account details provided on the . With tuition and boarding fees at the school costing some $10,050 per term, the amount paid out by each parent at a 25% discount amounted to some $15,075. Of the six parents affected, just two were able to get their money back, with the rest left out of pocket to the tune of $60,300 collectively. It was only after a few days, when one of the parents that had received the forwarded it to one of the school s administrators to check the validity of the discount offer that the school became aware of the scam. The school immediately notified all parents about the scam and urged them to be aware of any suspicious s that appeared to have come from the school. The parents that fell for the scam reported the incident to their respective banks to see if the transaction could be either frozen or reversed, with mixed results. Of the six parents affected, just two were able to get their money back, with the rest left out of pocket to the tune of $60,300 collectively. As it was a compromise of one of the school s accounts that had allowed the fraudster to gain access to the parents addresses, the school felt morally obliged to reimburse those parents affected by the fraud. Fortunately, the school was then able to recoup most of this loss under the cyber crime section of its policy with CFC, which provides cover for customer payment fraud up to a maximum of $50,000. Lessons learned This claim highlights a few key points. Firstly, it shows just how skilful cybercriminals are becoming at parting individuals and businesses from their money. In this case, the fraudster managed to successfully impersonate Microsoft and lured the school s bursar into volunteering his login details; took his time to peruse the inbox and locate a spreadsheet containing parents addresses; decided to specifically target overseas parents rather than adopting a scatter-gun approach which might have raised the alarm and seen the scam uncovered sooner; offered a discount within a limited time range to induce parents to transfer the tuition and boarding fees promptly; and included a number of small touches, such as the use of the bursar s genuine signature, to make the look and sound as authentic as possible. Secondly, it represents a shift in the nature of cyber risk in the education sector. Educational establishments have long seen their cyber risk as being primarily about privacy. However, with the rise of social engineering style attacks, organizations that operate in the education sector can no longer afford to focus exclusively on data breaches when managing their cyber risk. Private schools in particular should ensure that staff are aware of phishing scams and make sure that parents are alert to any suspicious communications that might appear to come from the school. Finally, it highlights the need for customer payment fraud cover in cyber policies. Many cyber policies with crime sections will only provide cover for losses that directly affect a policyholder. But in this instance, it wasn t the school that suffered a direct loss but its customers. However, because it was a compromise of the school s computer systems that allowed the attack to be carried out, the school felt duty bound to reimburse the parents affected. With more and more financial transactions being carried out electronically and with more and more cybercriminals looking to intercept them, the chances of a business s customers falling for scams of this nature are only increasing and it s usually the business that has been impersonated that will take the blame. That s why it s a good idea to check your cyber policy for customer payment fraud cover.
Similar documents
View more...
Search Related
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks