Lakes College has become the latest victim of a sophisticated email scam in which fraudsters posed as its principal.
Providers were warned about this kind of targeted “phishing” scam – where an imposter pretends to be a trustworthy source in an electronic communication to trick people into transferring money – by the Education and Skills Funding Agency this week.
On Tuesday, fraudsters hacked into the email account of Lakes College boss Chris Nattress and sent a link to his contacts to “review and sign”.
Furthermore, FE Week understands that when Nattress’s contacts replied to check if the email was genuine, the fraudster replied saying that it was.
They also changed the college’s phone number in the email signature by one digit, and made up a mobile number, so contacts could not check in that way.
Nattress told FE Week: “What we have experienced this week acts as a reminder to all, in the FE sector and further afield, how easy it is to fall victim, and that we must all remain vigilant.”
The college’s digital team identified the issue before staff received any reports of a problem.
“We have robust systems, controls and procedures in place at the college,” Nattress added. “And occasions like this highlight their importance and allow us to enhance our training and security awareness.”
The ESFA said clicking a link in a harmful email will take the user to a website that requests user credentials that can be used by the perpetrator to send “harmful” emails from the user’s account.
On a mobile device, the harmful emails sometimes appear with a coloured button saying “Display Message”, and oftentimes multiple official-looking email addresses are included to make the messages look legitimate.
The fraudster can request the user changes the bank account it uses for the Department for Education, the ESFA, or another payment provider.
If the imposter is not discovered, a payment may be made to the fraudulent account, the account could be emptied, and a new victim could be targeted.
The agency claims people have suffered “financial losses” because of this scam, but it is unclear how many.
FE Week spoke to an IT security expert who advised anyone who receives a suspected phishing email to not interact with the message but to use alternative means of finding contact information for the sender and to contact them through that to find out if the email is genuine.
The ESFA has additionally advised users to ensure they have firewalls, strong passwords and anti-virus software in place and to be alert to emails containing seemingly legitimate links.
Users have been asked to email email@example.com if they become aware of any phishing attempts.
If you have you been targeted by this scam, send the phishing emails you have received to firstname.lastname@example.org
This is not the first-time principals have been specifically targeted by fraudsters: in 2014, emails purportedly from the ESFA’s predecessor body the Skills Funding Agency were sent to providers, asking them to send details that would allow the fraudster to take money from the provider’s bank account.