MFL Case Study: Funds transfer fraud, a lesson learnt!

In the last article from CSD partner, MFL, its team briefly spoke about Cybercrime and how it is happening right under our noses. This time, Senior Broker at MFL, Trudy Kelly, shares a real-life case study of what can happen if your staff training or IT security isn’t up to date.

Whilst the business in question was a school (so not a design business), it hits home how an innocent act by a staff member can lead to unintended consequences.

What is Funds transfer fraud?

Funds transfer fraud is a type of Social Engineering whereby fraudsters dupe innocent businesses and individuals into transferring what they believe are legitimate payments to fraudulent bank accounts – is becoming an increasingly common problem for most modern organisations.

However, it’s not always a business that can suffer a loss in this way, but its customers too. Customer payment fraud describes a situation in which a business is impersonated by a fraudster, who then dupes some of the business’s customers into making payments to a fraudulent account.

One business affected by such a loss was a private, tuition-paying school responsible for educating 11-to-18-year-olds. The school in question has boarding facilities and attracts students from many different countries worldwide.

Lack of multi-factor authentication lets fraudsters in

The scam began when the school’s bursar, the individual responsible for managing the school’s financial affairs, fell for a credential phishing email. Malicious actors use credential phishing emails to try and trick individuals into voluntarily handing over their login details, typically by directing them to a link that takes them through to a fake login page.

In this case, the bursar received an email from what appeared to be Microsoft, stating that if he wanted to continue to use the email account without interruption, he would have to validate his account details online. Not wanting to face any disruption to his work, the bursar clicked on the link provided, which took him through to an authentic-looking landing page where he inputted his email login details and gave no further thought to the matter.

Despite appearances, the landing page was fake, and the bursar had unwittingly volunteered his email login details to a fraudster. What’s more, his email account didn’t have multi- factor authentication in place, so the fraudster could access the account remotely and gather valuable information. In particular, the fraudster could locate a spreadsheet stored in one of the bursar’s email folders containing a list of email addresses for the parents of current students, typically used for distributing general messages and updates from the school.

Multi-factor authentication (MFA) is an authentication process used to ensure that a person is whom they say they are by requiring a minimum of two pieces of unique data corroborating their identity. Most cases of business email compromise could be prevented by implementing it.

Scam initiated with offer of discount

Having spotted an opportunity, the fraudster moved on to the next stage of their scam. Their first step was to set up an email address that looked substantially similar to the bursar’s, but with the addition of an extra letter to the address line. So instead of saying, it became

The next step was to carefully select which parents to target. Rather than adopting a scattergun approach and emailing every parent on the list, the fraudster specifically selected parents based overseas. This was presumably done not only on the basis that such parents are more likely to be paying both tuition and boarding costs (thereby making them more lucrative targets), but also in the belief that overseas parents might be more likely to fall for the scam and less likely to raise the alarm to the school.

With the targets selected, the fraudster sent out an email relating to the payment of school fees. The email began by outlining what the annual fees for tuition and boarding amounted to, but then stated that parents would be eligible for a discount of up to 25% if they paid for the spring and summer terms in one lump sum as opposed to paying separately at the start of each term. To add a sense of urgency to make a payment, the email then went on to say that there was a deadline for payment in place, after which the discount would expire. Social engineering attacks rely on manipulating and exploiting typical human behaviours, and in this case, the fraudster was clearly aware that the scam would have a better chance of success if the parents were provided with a financial incentive to make the payment within a set time frame.

In addition, the email was well thought through and included a number of features to make it appear more authentic. For example, not only did the fraudster use proper spelling and grammar and include the bursar’s genuine email signature, but he also went on to state that if the student was unable to complete the academic year for whatever reason, then the fees would be reimbursed on a pro-rata basis.

School’s security breach puts parents out of pocket

Unfortunately, this offer proved to be too tempting for some and six parents fell for the scam, transferring the tuition and boarding fees over to the fraudulent account details provided in the email. With tuition and boarding fees at the school costing some £10,050 per term, the amount paid out by each parent at a 25% discount amounted to some £15,075.

It was only after a few days that one of the parents that had received the email forwarded it to one of the school’s administrators to check the validity of the discount offer that the school became aware of the scam. The school immediately notified all parents about the scam and urged them to be aware of any suspicious emails that appeared to have come from the school.

Of the six parents affected, just two were able to get their money back

The parents that fell for the scam reported the incident to their respective banks to see if the transaction could be either frozen or reversed, with mixed results. Of the six parents affected, just two were able to get their money back, with the rest left out of pocket to the tune of £60,300 collectively.

As it was a compromise of one of the school’s email accounts that had allowed the fraudster to gain access to the parents’ email addresses, the school felt morally obliged to reimburse those parents affected by the fraud. Fortunately, the school was then able to recoup most of this loss under the cybercrime section of its policy with CFC, which provides cover for customer payment fraud up to a maximum of £50,000.

A lesson learned

This case study highlights the need for customer payment fraud cover in cyber policies. Many cyber policies with crime sections will only provide cover for losses that directly affect a policyholder. But in this instance, it wasn’t the school that suffered a direct loss but its customers. However, because it was a compromise of the school’s computer systems that allowed the attack to be carried out, the school felt duty-bound to reimburse the parents affected.

With more and more financial transactions being carried out electronically and with more and more cybercriminals looking to intercept them, the chances of a business’s customers falling for scams of this nature are only increasing and it’s usually the business that has been impersonated that will take the blame. That’s why it’s a good idea to check your cyber policy for customer payment fraud cover.

MFL can review your current Cyber Cover policy for you or provide a quotation for a new policy, where premiums can start from as little as £10 per month.

Categories: Resources