Cyber crime advice put out by ESFA following college email hacks

Firewalls, data back-ups and training staff to verify email senders are some of the actions colleges should take to protect themselves against cyber attacks, according to new government guidance.

The Education and Skills Funding Agency has published the advice today after colleges fell victim to phishing scams earlier this year, where genuine-looking emails were sent by fraudsters to trick people into sending money or private information.

As well as the tips, the ESFA release warns providers that they “retain responsibility to be aware of the risk of fraud, theft and irregularity and address it by putting in place proportionate controls”.

Phishing scams and malvertising – when malicious code is downloaded onto a victim’s computer after they click on, or even just hover over an advert online – are two traps the ESFA has warned providers of.

The release lists five strategic questions that education providers should use as a “starting point to consider cyber risk in their organisation”.

They include: Does the organisation have a clear and common understanding of the range of information assets it holds? Does the organisation have a clear understanding of cyber threats and their vulnerabilities? Is the organisation proactively managing cyber risks? Does the organisation have a balanced approach to managing cyber risk? Does the education provider have sound governance processes to ensure actions to mitigate threats are effective?

It goes on to list 10 “cyber security tests”, which are based on the National Cyber Security Centre’s ‘10 steps to cyber security’ guide.

As well as verifying email senders before sending payment or data, college staff should be trained to ensure they “understand the risks of using public Wi-Fi” and “understand the risks of not following payment checks and measures”, according to the ESFA.

One education provider that was a victim of a cyber attack earlier this year was Lakes College in Cumbria.

Fraudsters, perpetrating a phishing scam, hacked into the email account of principal Chris Nattress and sent a link to his contacts to “review and sign”.

When Nattress’s contacts replied to check if the email was genuine, the fraudster replied saying that it was.

They also changed the college’s phone number in the email signature by one digit, and made up a mobile number, so contacts could not check in that way.

The college’s digital team identified the issue before staff received any reports of a problem.

Education providers were first warned about phishing in an ESFA update in June, which said some had suffered “financial losses” after falling for this type of scheme, but it is unclear how many.

This is not the first time education providers have been targeted in such a manner: in 2014, emails purportedly from the Skills Funding Agency were sent to providers, asking them to send details that would allow the fraudster to take money from the provider’s bank account.