An email phishing scam targeting schools is currently being reported. This email phishing scam has been around for a number of years, but appears to becoming more common during lockdown.
What is so engaging about these emails is that not only do they purport to be sent by someone in authority, but also they sound entirely reasonable. In particular, the phase “Today if possible but if not then we can wait till Monday morning” suggests urgency, but also that the Head is being entirely reasonable.
While staff are working remotely, and may be more isolated and under greater pressure than usual, they may be more susceptible this this type of phishing scam. It is worth reminding all school email users, particularly where there is a financial or data transaction involved, to always check verbally via a known contact number, before sending anything of value.
There are reports of this email phishing scam back to 2018, but in recent weeks there has been an increase in incidents. Whether this is just people paying more attention or the scammers are deliberately targeting schools to take advantage of the current disruption, it’s not clear, but it is worth making staff aware of this as it appears to becoming increasingly common.
In all reported cases an email is sent by the scammer to either a generic school account or someone high up in the organisation or finance department. While this appears to be highly targeted, the number and variety of replies suggest that there is human interaction at some point in the process.
Are you on your computer at the moment ?
The first email in the chain is sent from a free email service, making the source untraceable. Although many different email addresses have been reported, in all the cases I’ve reviewed it has been sent from a Gmail account with an address formatted in the following way:
Email format: headteacher + five digit number + @gmail.com.
While the email address is clearly not correct, the name of the headteacher displayed in the email, or an abbreviation of it, usually is correct and it’s very easy to miss this red flag.
The initial phishing email most often takes this format:
“Head Teacher’s Name” <firstname.lastname@example.org>
Are you on your computer at the moment ?
“Head Teacher’s Name”
This initial email is almost certainly automated but if the recipient replies it appears that either a human takes over the response, or one of a variety of responses are selected from a predefined list:
- We need to make a payment to a supplier . Can you find out from anyone in Finance how we can have this sorted out (BACs or Faster payment)
- I need you to set up a BACs or faster payment to a supplier. When can you have it done ?
- Today if possible but if not then we can wait till Monday morning.
- I’ll send you all the necessary paperwork for your records. I need you to set the payment up as a faster payment for today.
It also appears that following the initial email the scammers has a way to spoof the email address of the real contact. In some cases, the visible email address is switched from email@example.com to the actual Headteacher’s email address. If you check the email header information, however, the firstname.lastname@example.org address is shown.
In cases where the recipient has continued the conversation, it eventually results in the scammer sending banking information for a payment to be made. In the cases I’ve seen the company Norish Ltd is used, which appears to be a legitimate UK based company, but I assume is unrelated to this scam.
Sort Code: 04-**-**
Account Number: 2223****
Send me the payment confirmation once its done. I’ll send you the invoice later.
Reporting Phishing Email Scams
Uk schools should report all phishing attempts to ActionFraud..Make sure your school has an account set up ready in case you need to make a report. When you make a report ActionFraud will pass the information on to the National Cyber Security Centre (NCSC), who will analyse the suspect email and any websites it links to. They’ll use any additional information you’ve provided to look for and monitor suspicious activity.
If they discover activity that they believe is malicious, they may:
- Seek to block the address the email came from, so it can no longer send emails
- Work with hosting companies to remove links to malicious websites
- Raise awareness of commonly reported suspicious emails and methods used (via partners)
Have you or someone in your school received this email? If so, I’d be interested in finding out more and creating a list of potential responses from the scammer to create a searchable list. Share your experiences in the comments.