Email wasn’t designed for financial transactions but the message hasn’t got through to the many schools that rely on it, warns Simon Freeman
One in four schools experienced a cybersecurity incident in the last 12 months.
The rise of cloud services, online learning and digital administration has transformed education, but cybercriminals have kept pace, developing increasingly sophisticated ways to steal data and money from schools.
The problem, though, isn’t just advanced hacking. Criminals are targeting routine payment processes that rely on email: supplier invoices, trip payments, catering charges, parent contributions and bank detail changes.
For schools and trusts operating with tight budgets and lean teams, cybersecurity demands sustained leadership attention as a core safeguarding responsibility, to protect students and staff while keeping operations secure and reputation intact.
So, what is the risk from email, and how can it be navigated?
State of school cybersecurity
With more and more schools experiencing attacks from fraudsters, it’s clear there’s an issue building, and it’s one that will only get worse as technology and tactics become more sophisticated.
Based on our research with education leaders, we found that two in five schools do not have cybersecurity training, and while 78 per cent have a cybersecurity policy, that still leaves more than one in five without one.
This suggests that turning policy into action is proving a challenge in daily school operations.
Data breaches are the biggest worry, with phishing attacks and ransomware close behind.
These concerns have real operational consequences, because when systems go down during an attack, schools can’t process payments, communicate with families or access student records.
What ties these threats together is how schools handle financial communications.
Because when bank details, supplier invoices and payment instructions flow through standard email chains, every phishing attempt and impersonation attack has a direct route to school funds.
And many of the controls that work elsewhere simply don’t apply to everyday email use.
Why email is vulnerable
Email wasn’t designed for financial transactions. Yet schools use it daily to share bank details, confirm supplier invoices and communicate payment instructions.
Each of these routine exchanges creates an opportunity for criminals to intercept, impersonate or manipulate.
If this happens, cybercriminals target system access through compromised logins, then steal data and divert money. But they also exploit something more valuable: a school’s trusted identity.
When staff, families and partner organisations assume communications are legitimate, it becomes far easier to manipulate payment processes.
Many attacks succeed through social engineering rather than technical sophistication, and phishing emails trick staff into handing over credentials, while impersonation attacks mimic senior leaders or suppliers to prompt urgent action.
These tactics work in schools because they exploit busy routines and fragmented processes, hijacking email threads to swap bank details for supplier payments, or sending realistic requests timed exactly when trip payments or catering invoices are due.
What leaders can do
Leaders can take practical steps to strengthen their organisation’s defences, and we’ve developed a guide that pinpoints a path to safety.
First, be ready when something goes wrong. Build an incident response plan, ensure everyone knows their role, and test it – because if your team can’t act in the first 10 minutes of an attack, damage escalates quickly.
Invest in regular training that reflects the emails staff actually receive and build a no-blame culture so people flag mistakes immediately.
Then focus on technology that reduces risk. Switch on monitoring and alerts, tighten permissions, and implement multi-factor authentication wherever possible.
Most importantly, move high-risk transactions out of email. Use authenticated parent payment portals for trips and catering. Run supplier invoices through your finance system with built-in approval workflows. Verify any bank detail changes through a separate channel, never via email alone.
The good news is that schools don’t need unlimited budgets or specialist IT teams to make meaningful progress.
They need leadership that treats payment security with the same seriousness as fire safety, not as a project for someone else to manage, but as a core operational responsibility.
The criminals targeting school finances are organised, patient and persistent. School leaders need to be too.
Your thoughts