In 2023 the ESFA and Charity Commission both released guidance alerting Education Institutions to the ever increasing number of frauds that are occurring that involve fictious changes to supplier or payroll details.
The fraud is widespread as it doesn’t involve the fraudster gaining direct access to your systems. Instead the fraudsters use ‘spoofing’ emails to trick finance teams into making legitimate payments into the wrong account.
Here are two examples:
- A day before running the monthly payroll an email comes in from the vice-principal saying that they changed banks earlier in the month but forgot to ask HR to update their details and so would the payroll team kindly take the email as instruction to pay their salary into the new bank account – details provided.
- Early in 2023 the finance team are notified that a supplier’s contact details are changing and they are given a new telephone number. Around six months later the finance team are expecting a large nvoice from their contractor as they are part way through their transformational capital project. The invoice comes through as expected but the sort code and account number are different to the information they have on their system. A member of the finance team phones the supplier to confirm.
In both instances above, the emails came from fraudsters who masked the email address to make it look like it came from the legitimate source. If the fraud is successful it is very difficult to recover the funds.
The second scenario illustrates just how sophisticated theses attacks have become with the fraudsters lying in wait for six months in order to perpetrate their fraud. With these attacks on the rise we have listed out a number of key processes that you may want to consider adopting:
- The procedures for changing the standing data (bank account numbers, sort codes, contact details etc) of suppliers and staff should be documented in the financial procedures manual.
- Never confirm the change of details by replying to the same address that the request came from.
- Consider obtaining both written and verbal confirmation from suppliers to verify the change.
- Aim to verify changes to details from other sources such as registered details on Companies House or company websites.
- Changes to contact details should be viewed with the same scrutiny as changes to banking details.
- Where possible make use of self-service portals – for example, changes to payroll details can only be accessed through a HR portal which can only be accessed using the College’s secre network
- A log of changes to standing data should be maintained. This log should detail what procedures were undertaken and by whom in order to verify the change.
Most importantly, we would urge all educational institutions to be very vigilant in this area. We advocate discussions amongst the finance team to both highlight awareness but also to ensure procedures are known and are adequate.