Case study: funds transfer fraud

Phishing scam targeted at school led to parents paying £90k to fraudster and school out of pocket by £10k

Screenshot 2021-07-23 at 09.47.04.png

Funds transfer fraud – whereby fraudsters dupe innocent businesses and individuals into transferring what they believe are legitimate payments to fraudulent bank accounts – is becoming an increasingly common problem for most modern organisations.

However, it’s not always a business that can suffer a loss in this way, but it’s customers too. Customer payment fraud describes a situation in which a business is impersonated by a fraudster, who then dupes some of the business’s customers into making payments to a fraudulent account.

One business affected by such a loss was a private, tuition-paying school responsible for educating 11-to-18-year-olds. The school in question has boarding facilities in place and attracts students from many different countries around the world.

Lack of multi-factor authentication lets fraudster in

The scam began when the school’s bursar, the individual responsible for managing the financial affairs of the school, fell for a credential phishing email. Credential phishing emails are used by malicious actors to try and trick individuals into voluntarily handing over their login details, typically by directing them to a link that takes them through to a fake login page.

In this case, the bursar received an email from what appeared to be Microsoft, stating that if he wanted to continue to use the email account without interruption, he would have to validate his account details online. Not wanting to face any disruption to his work, the bursar clicked on the link provided, which took him through to an authentic-looking landing page where he inputted his email login details and gave no further thought to the matter.

Despite appearances, however, the landing page was actually fake, and the bursar had unwittingly volunteered his email login details to a fraudster. What’s more, his email account didn’t have multi- factor authentication in place, so the fraudster was then able to access the account remotely and gather valuable information. In particular, the fraudster was able to locate a spreadsheet stored in one of the bursar’s email folders containing a list of email addresses for the parents of current students, which was typically used for distributing general messages and updates from the school.

Multi-factor authentication (MFA) is an authentication process that is used to ensure that a person is who they say they are by requiring a minimum of two pieces of unique data that corroborates their identity. Most cases of business email compromise could be prevented by implementing it.

Scam initiated with offer of discount

Having spotted an opportunity, the fraudster moved on to the next stage of their scam. Their first step was to set up an email address that looked substantially similar to the bursar’s, but with the addition of an extra letter to the address line. So instead of saying @abcschool.com, it became @abcscchool.com. 

The next step was to carefully select which parents to target. Rather than adopting a scatter gun approach and emailing every parent on the list, the fraudster specifically selected parents based overseas. This was presumably done not only on the basis that such parents are more likely to be paying both tuition and boarding costs (thereby making them more lucrative targets), but also in the belief that overseas parents might be more likely to fall for the scam and less likely to raise the alarm to the school.

With the targets selected, the fraudster sent out an email relating to the payment of school fees. The email began by outlining what the annual fees for tuition and boarding amounted to, but then stated that parents would be eligible for a discount of up to 25% if they paid for the spring and summer terms in one lump sum as opposed to paying separately at the start of each term. To add a sense of urgency to making a payment, the email then went on to say that there was a deadline for payment in place, after which the discount would expire. Social engineering attacks rely on manipulating and exploiting typical human behaviours, and in this case the fraudster was clearly aware that the scam would have a better chance of success if the parents were provided with a financial incentive to make the payment within a set time frame.

In addition, the email was well thought through and included a number of features to make it appear more authentic. For example, not only did the fraudster use proper spelling and grammar and include the bursar’s genuine email signature, he also went on to state that if the student was unable to complete the academic year for whatever reason, then the fees would be reimbursed on a pro-rata basis.

School’s security breach puts parents out of pocket

Unfortunately, this offer proved to be too tempting for some and six parents fell for the scam, transferring the tuition and boarding fees over to the fraudulent account details provided on the email. With tuition and boarding fees at the school costing some £10,050 per term, the amount paid out by each parent at a 25% discount amounted to some £15,075.

It was only after a few days, when one of the parents that had received the email forwarded it to one of the school’s administrators to check the validity of the discount offer that the school became aware of the scam. The school immediately notified all parents about the scam and urged them to be aware of any suspicious emails that appeared to have come from the school.

Of the six parents affected, just two were able to get their money back

The parents that fell for the scam reported the incident to their respective banks to see if the transaction could be either frozen or reversed, with mixed results. Of the six parents affected, just two were able to get their money back, with the rest left out of pocket to the tune of £60,300 collectively.

As it was a compromise of one of the school’s email accounts that had allowed the fraudster to gain access to the parents’ email addresses, the school felt morally obliged to reimburse those parents affected by the fraud. Fortunately, the school was then able to recoup most of this loss under the cybercrime section of its policy with CFC, which provides cover for customer payment fraud up to a maximum of £50,000.

A lesson learned

This case study highlights the need for customer payment fraud cover in cyber policies. Many cyber policies with crime sections will only provide cover for losses that directly affect a policyholder. But in this instance, it wasn’t the school that suffered a direct loss but its customers. However, because it was a compromise of the school’s computer systems that allowed the attack to be carried out,

the school felt duty bound to reimburse the parents affected. With more and more financial transactions being carried out electronically and with more and more cyber criminals looking to intercept them, the chances of a business’s customers falling for scams of this nature are only increasing and it’s usually the business that has been impersonated that will take the blame. That’s why it’s a good idea to check your cyber policy for customer payment fraud cover. 

Richard BensonComment