Fraud Alert - Spear Phishing

6 October 2021

The Counter Fraud Team have received reports of schools being subject to attempted and successful Spear-phishing attacks.

Spear-phishing occurs when cyber criminals target a specific person or an organisation via email or electronic communication. On the surface the email or communication appears to be trustworthy or from a trustworthy source, instead, it will either be an attempt at gaining important information such as bank account details or leads the user to a malicious website. This will usually be with the intent of either stealing confidential or financial data or installing spyware or malware. Examples could be:

  • An email arrives, appearing to be from a trustworthy source, but instead it leads the unknowing recipient to a bogus website containing malware.
  • An email arrives, appearing to be from a trustworthy source such as a member of staff asking for their bank details to be changed on the payroll.

Schools need to be vigilant by:

  • Double checking the email address and email it has been sent from. This can be done by hovering over the email address and ensuring it has come from within your organisation or holds the correct domain from the trusted source. Do not respond, instead respond by creating a new email and obtaining the email from your global address list. Do not click on links embedded in any suspicious emails
  • Ensuring that processes and procedures are in place to prevent fraud when dealing with requests for changes of bank details or other sensitive information. This could be through using a standard form that needs to be submitted to update bank details, or by confirming with the person/supplier via their official phone number/email address. This can usually be found on legitimate paperwork or through supplier logs from within the organisation.
  • Spread awareness of phishing throughout the organisation so that staff know and understand the risks associated with it.
  • Ensuring Spear Phishing risks are including within the schools Fraud risk assessment including the ways the school will mitigate the risk.

Kent County Council Internal Audit must be notified of all financial irregularities and spear phishing incidents affecting maintained schools. You can report irregularities or seek advice by calling the Counter Fraud Team on 03000 41 45 00, or by emailing internal.audit@kent.gov.uk.