Cybercriminals Could Be Targeting Your District's Finances

Teacher salaries, student transportation, and facilities maintenance are just a handful of the many line items on school districts’ budgets. Right now, criminals could be trying to steal your much-needed funds and, ultimately, compromise your ability to deliver a quality education to Texas school children.

The scam is called phishing, and its perpetrators are known as cybercriminals. Specific examples of phishing scams you may hear about include business email compromise or fraudulent instruction, which are responsible for some of the largest thefts involving school districts in recent years. This includes a recent attack which resulted in a $2.3 million dollar loss.

How these scams work

The cybercriminals behind phishing scams are wolves in sheep’s clothing. Masquerading as legitimate vendors, and even as employees or staff, they trick unsuspecting districts into sending money directly to them. Phishing scams come in many forms, but the three most common are:

Fraudulent payment request

Cybercriminals call, email, or fax, posing as a supplier, vendor, or contractor, and request payments to an account they own. The request could be for a wire transfer, ACH payment, or a paper check mailed to a new address. Because these scams aren't always done through email with malicious links or attachments, they often evade technical controls, such as email filters.

Staff impersonation/executive fraud

This scam hinges on cybercriminals creating fake emails that appear to be from someone in a position of authority, such as a board member, CFO, or superintendent. The email targets employees who have access to the bank account, and the request is often marked urgent to encourage recipients to bypass approval procedures.

Business email compromise

Instead of creating fake emails, cybercriminals hack directly into a victim’s email account. The victim could be someone in a position of authority, a vendor, or even an employee or staff member. The email requests invoice payments to vendors or contacts in the victim’s address book. In the case of employees and staff, the scam involves a seemingly legitimate request to modify payroll information. The attacker sets “rules” in the email account to ensure the real employee is never notified about the changes. Attackers can also target social security numbers, dates of birth, and other personally identifiable information to conduct W2 fraud and identify theft. That is why it is important to confirm transaction requests via a means other than email (see #2 below).

7 tips to protect your organization

1. Limit the information your district shares: Cybercriminals carefully research and closely monitor their target victims and organizations. They use information published on websites and social media pages to make plausible requests for funds. Under financial transparency requirements, including public check registers, districts must disclose certain information on their websites. For now, the Fund recommends districts avoid posting vendor names and all information labeled “optional” in this resource from TASB Legal Services (pdf).
2. Confirm transaction requests: Implement a non-email verification process for all transactions. If employees receive requests to change vendor banking information, they must call the phone number on the vendor contract and verify the request is legitimate. If not, the claim could be non-compensable under your Fund Data Privacy and Information Security Coverage Agreement. Similarly, district employees should be consulted before requests to change their direct-deposit account information are fulfilled.
3. Avoid wire transfers when possible: Use paper checks instead. If a wire transfer is necessary, require the employee making the transfer to have someone else review the request before transferring the funds.  
4. Assign designated contacts: Designate a contact to represent each vendor. The authorized contact is the only person who has the authority to request payment or changes to a contract or invoice.
5. Implement controls with financial institutions: Designate a representative from financial institutions who can provide telephone authorization for certain transactions, such as wire transfers or other electronic payments, or transactions over a specific amount.
6. Train your staff: Many phishing scams succeed because staff does not recognize the warning signs. As part of your security-related policies and procedures, teach staff to recognize indicators of fraudulent activity. For example, phishing email subject lines often include words such as request, payment, transfer, or urgent. In addition, make sure staff knows how to report suspicious activity to IT/security.
7. Work with IT: A district’s IT department can monitor email exchange servers for changes in configurations and custom rules that have been applied to accounts, which are warning signs of phishing scams.

Download a phishing cheat sheet to help your finance professionals fight cybercrime.

Editor's note: This article was originally published in November 2018 and has been updated for accuracy and comprehensiveness.