Cybercriminals Are Targeting Your District's Finances
Teacher salaries, student transportation, and facilities maintenance are just a handful of the many line items on school districts’ budgets. Right now, criminals could be trying to steal your much-needed funds and, ultimately, compromise your ability to deliver a quality education to Texas school children.
The scam is called phishing, and its perpetrators are known as cybercriminals. Specific examples of phishing scams you may hear about include business email compromise or fraudulent instruction, which are responsible for some of the largest thefts involving school districts in recent years. This includes a recent attack which resulted in a $2.3 million dollar loss.
How these scams work
The cybercriminals behind phishing scams are wolves in sheep’s clothing. Masquerading as legitimate vendors, and even as employees or staff, they trick unsuspecting districts into sending money directly to them. Phishing scams come in many forms, but the three most common are:
Fraudulent payment request
Cybercriminals call, email, or fax, posing as a supplier, vendor, or contractor, and request payments to an account they own. The request could be for a wire transfer, ACH payment, or a paper check mailed to a new address. Because these scams aren't always done through email with malicious links or attachments, they often evade technical controls, such as email filters.
Staff impersonation/executive fraud
This scam hinges on cybercriminals creating fake emails that appear to be from someone in a position of authority, such as a board member, CFO, or superintendent. The email targets employees who have access to the bank account, and the request is often marked urgent to encourage recipients to bypass approval procedures.
Business email compromise
Instead of creating fake emails, cybercriminals hack directly into a victim’s email account. The victim could be someone in a position of authority, a vendor, or even an employee or staff member. The email requests invoice payments to vendors or contacts in the victim’s address book. In the case of employees and staff, the scam involves a seemingly legitimate request to modify payroll information. The attacker sets “rules” in the email account to ensure the real employee is never notified about the changes. Attackers can also target social security numbers, dates of birth, and other personally identifiable information to conduct W2 fraud and identify theft. That is why it is important to confirm transaction requests via a means other than email (see #2 below).
7 tips to protect your organization
- Limit the information your district shares: Cybercriminals carefully research and closely monitor their target victims and organizations. They use information published on websites and social media pages to make plausible requests for funds. Under financial transparency requirements, including public check registers, districts must disclose certain information on their websites. For now, the Fund recommends districts avoid posting vendor names and all information labeled “optional” in this resource from TASB Legal Services (pdf).
- Confirm the transaction request: Implement a non-email verification process for transactions over a threshold amount. For example, call the contact listed on your vendor contract to confirm that the request is legitimate.
- Avoid wire transfers when possible: Use paper checks instead. If a wire transfer is necessary, require the employee making the transfer to have someone else review the request before transferring the funds.
- Assign designated contacts: Designate a contact to represent each vendor. The authorized contact is the only person who has the authority to request payment or changes to a contract or invoice.
- Implement controls with financial institutions: Designate a representative from financial institutions who can provide telephone authorization for certain transactions, such as wire transfers or other electronic payments, or transactions over a specific amount.
- Train your staff: Many phishing scams succeed because staff does not recognize the warning signs. As part of your security-related policies and procedures, teach staff to recognize indicators of fraudulent activity. For example, phishing email subject lines often include words such as request, payment, transfer, or urgent. In addition, make sure staff knows how to report suspicious activity to IT/security.
- Work with IT: A district’s IT department can monitor email exchange servers for changes in configurations and custom rules that have been applied to accounts, which are warning signs of phishing scams.
Download a phishing cheat sheet to help your finance professionals fight cybercrime.
Have Cybersecurity Questions?
Members with Privacy and Information Security coverage can request training and support from our Privacy and Cyber Risk Consultant Lucas Anderson at 800-482-7276, x2893 or firstname.lastname@example.org.
Choose the Fund’s Cybersecurity coverage to protect your organization against cyberthreats targeting public schools that can divert funds from school budgets and erode public trust.
Editor's note: This article was originally published in November 2018 and has been updated for accuracy and comprehensiveness.
Lucas Anderson joined TASB Risk Management Services in 2019, bringing more than a decade of experience in cybersecurity, network administration, and information technology. He advises districts on preemptive mitigation against ongoing and emerging cybercriminal threats targeting the education sector, as well as cybersecurity-related regulatory compliance.
Over his career, Anderson has supported public and private organizations, including Booz Allen Hamilton, the White House Office of Management and Budget, the Department of Defense, and the Texas Association of Counties.