Insurer warns parents to be on the lookout for cyber criminals targeting school fees

30 November 2018

Ecclesiastical Insurance is warning parents to be extra vigilant over the coming months as cyber criminals target parents paying school fees.

In December 2017 cyber criminals targeted parents with a series of fake emails claiming to be from schools. Fraudsters used phishing attacks to gain access to the school’s emails and contact lists to create fake emails targeting parents needing to pay school fees. 

Earlier this year Ecclesiastical revealed that one in five British schools and colleges had experienced some form of cyber-crime1, with malware and phishing scams being the most common form of attack. The insurer believes that cyber criminals will once again target parents who are attempting to pay school fees for the new term and is urging parents to think twice before paying fees in to an unverified bank account. 

“With parents paying up to £15,000 per term it is perhaps easy to understand why criminals see this as a lucrative opportunity,” explained Nicholas Hartley, head of innovation at Ecclesiastical. “It is a relatively easy scam for criminals to implement. Most of the information they need to create an ‘official looking’ email – the school’s logo, the name of the head teacher and official contact details – can all be found online.” 

These emails look very convincing; they can be ‘spoofed’ so appear to have originated from the school and often urge prompt payment. This could be a financial incentive like a discount for paying quickly or simply stating that the balance is overdue – the criminals essentially want to push you in to paying quickly without questioning the validity of the email. 

When it comes to data, schools must now comply with the General Data Protection Regulation (GDPR) requirement to report a breach within 72 hours of the school becoming aware of the incident.  As well as notifying the Information Commissioner’s Office (ICO), any affected parties must be contacted and offered help. This could include advice or credit monitoring and identity theft assistance for a period of time.

Just three months after the implementation of GDPR, the ICO’s breach reporting line is receiving 500 calls per week – 50% of these are the result of phishing attacks.  

While businesses will have whole teams protecting their IT infrastructure, most schools do not have the same budget or resources. Initiatives like Cyber Essentials2 would help prevent and limit an attack, but this isn’t guaranteed to prevent a phishing attack when someone is coerced into giving up details or money.” 

“Cyber criminals are developing and evolving their tactics all the time, so dealing with these threats often requires very specialist skills. Schools should consider cyber cover as part of a holistic solution to the problem. Having the right cover in place alongside, alongside staff training and an internal IT solution is vital.” Nicholas added.

Ecclesiastical offers the following advice to parents:

  • Check the email for inconsistencies and grammatical errors such as a misspelt school name, slightly different email address or poor quality logo or images.
  • Always verify a request for payment from your child’s school using the official contact channels. Do not call the numbers on the email, as these will often belong to the criminals. 
  • Do not reply to the email – delete it and notify the school immediately



1. Research was undertaken by FWD Research on behalf of Ecclesiastical Insurance. 120 education establishments were interviewed by telephone during November and December 2017.