Getting Ready for a New Year

Summertime is a busy time for school districts, preparing to welcome teachers and students back for another year. Refreshing equipment, setting up new tools, and maybe even creating a new tech plan. What about on the data side? What can you do to have a more successful year in terms of cyber security?

Start by focusing on departments most likely to be affected by the latest scams. Business E-mail Compromise (BEC) is affecting school districts by scamming them out of funds or sensitive information. BEC happens when a scammer impersonates workplace personnel and sends an email that directs an employee to wire money or send sensitive or valuable information.

Purchasing and Accounts Payable

For Purchasing and Accounts Payable, check with supervisors about how their department receives and processes payment requests.

If the Superintendent directs them to pay a vendor (especially via wire transfer) through e-mail, what verification method is used to ensure the legitimacy of the request?

  • EX: Talk to the Superintendent in person or by a known phone number.
  • Suggestion: Create a department-level policy directing NO requests for payment be made by e-mail by ANYONE unless A) it’s verifiable through purchase tracking software or B) it’s followed up by a known phone number.
  • Awareness & Training:
    • Provide examples of recent school district wire transfer fraud cases to the department supervisor who then distributes to the team.
    • Supervisor follows up with policy reminder.

If a vendor requests a change in bank routing information through e-mail (or perhaps by phone), what verification method is used to ensure the legitimacy of the request?

Confirm

  • EX: Call the vendor at a previously known number to verify the routing change request.
  • Suggestion: Create a department-level policy directing ALL requests to change bank routing information (whether made by email or phone) be verified by contacting the point-of-contact at a known number.
  • Awareness & Training
    • Similar to the above scenario, provide examples of phishing emails where scammers have impersonated vendors and caused financial loss for a district.
    • Supervisor follows up with policy reminder.

These are two avenues in which districts (and many other types of businesses or public entities) are being successfully scammed out of funds.

Need stories to share about BEC? Check out our latest Cyber Roundups.

HR/Payroll

For HR/Payroll, check with supervisors about how their department handles requests for employee payroll data.

Last school year and this past Spring, school districts were targeted for employee W-2 information which can be used in identity theft and tax refund fraud. Listings of victim districts can be found here: https://www.edtechstrategies.com/blog/irs-phishing/.

First, transmitting employee payroll data via unencrypted e-mail puts sensitive data at risk and should not be done. Second, e-mail requests for employee payroll/W-2 data should be verified (via phone or in-person) before providing such information.

Awareness & Training

  • Provide examples of victim districts
  • Develop a response plan
  • Test the response plan by walking through the scenario; follow up with the supervisor sending a mock phishing e-mail
  • Send reminders just before tax season starting in December, following up in January, February, and March!

Superintendent and Board

Lastly, include the Superintendent and district Board members in awareness and training. These scams are taking school districts for thousands of dollars, but awareness and strong procedures can prevent it from happening in your district.

2 Comments »

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s