An academy trust has been scammed out of more than £385,000 after its was targeted by cyber attackers posing as a construction company.
Police launched an investigation after Wembley Multi-Academy Trust (WMAT) made four payments to the fraudsters in the past financial year.
The cash was meant to cover building work, but was paid into the wrong bank account after the supplier’s email “was tampered with”.
Micon Metcalfe, a school business expert, said the the case was a “warning and reminder” of the risk posed by fraudsters.
“Anybody can be susceptible to this type of fraud. The only way to avoid it… [is] to be very vigilant around your controls for changing bank account details.”
She recommended “a well-documented process before making changes to bank accounts”, including suppliers to double-check details before making payments.
A Metropolitan Police spokesperson said it received a report of fraud from a trust in Brent in April last year. Enquiries were ongoing.
Supplier’s email ‘tampered-with’
Accounts for WMAT – which runs three schools in northwest London – state that over 2022-23 “four payments totalling £385,532 were made to a supplier in relation to construction works undertaken”.
These went to an “incorrect” account “after the supplier’s email… was tampered with”.
Metcalfe stressed victims in such cases could usually recover the amounts through insurance, “but it’s quite challenging”.
Figures published by the Information Commissioner’s Office (ICO) show the number of cyber security incidents in education and childcare has hit a five-year high.
In 2023, 353 were listed, more than at any point since 2019. Over the first half of this year, 166 incidents were reported.
A Teacher Tapp survey in September found that one in three secondaries have been rocked by cyber-attacks in the past 12 months.
A teacher, who asked to remain anonymous, said it was “utter chaos” after their school was hit last summer just before results day.
It left all staff “unable to access anything, so we could not prepare for the year”. And when they returned to school, they “could not use the desktops and there were not enough laptops”.
Secondaries (23 per cent) have most commonly been hit by phishing attacks, according to the survey. The north west was the worst-hit region, with 40 per cent of schools having cyber problems, compared with 28 per cent in the east of England.
Nine per cent of heads said the attacks were “critically damaging”. About 20 per cent of schools could not recover immediately, with 4 per cent taking more than half a term.
The survey also revealed that 33 per cent of secondary teachers had not received cyber-security training this year.
WMAT declined to comment.
Your thoughts