Wembley Multi-Academy Trust Scammed Out of £385,000 in Cyber Attack.
Wembley Multi-Academy Trust (WMAT) has fallen victim to a cyber scam, losing more than £385,000 after fraudsters posing as a construction company tricked the trust into making payments to the wrong bank account. Police have launched an investigation following the incident, which saw four payments made to the attackers in the past financial year.
The payments, intended for building work, were directed to an incorrect bank account after the supplier’s email was “tampered with,” causing the payments to be diverted. This incident has highlighted the risks of cyber fraud, especially in educational institutions.
Micon Metcalfe, a school business expert, commented on the situation, calling it a “warning and reminder” of the dangers posed by fraudsters. She added, “Anybody can be susceptible to this type of fraud. The only way to avoid it… [is] to be very vigilant around your controls for changing bank account details.”
Metcalfe went on to advise that schools and trusts should establish “a well-documented process before making changes to bank accounts,” and recommended that suppliers double-check their details before making any payments.
A Metropolitan Police spokesperson confirmed that they received a report of fraud from a trust in Brent in April last year. The investigation is ongoing.
According to the accounts for WMAT, which operates three schools in northwest London, the trust made four payments totalling £385,532 during the 2022-23 financial year for construction work. These payments were made to the incorrect account due to tampering with the supplier’s email.
Metcalfe pointed out that victims of such scams may be able to recover the stolen funds through insurance, although she noted, “it’s quite challenging.”
The number of cyber security incidents in education has been on the rise, with figures from the Information Commissioner’s Office (ICO) showing that incidents in the education and childcare sectors have reached a five-year high. In 2023, 353 incidents were reported, the highest number since 2019. In the first half of this year alone, 166 incidents were reported.
A survey by Teacher Tapp in September revealed that one in three secondary schools had experienced cyber-attacks in the past year. One anonymous teacher shared their experience of the chaos caused by a cyber attack at their school just before results day. The attack left staff “unable to access anything,” preventing them from preparing for the school year. Upon returning to school, they found that they “could not use the desktops and there were not enough laptops.”
Phishing attacks were the most common type of cyber threat, affecting 23 percent of secondary schools, according to the survey. The north-west region was the worst hit, with 40 percent of schools reporting cyber issues, compared to 28 percent in the east of England. Nine percent of headteachers described the attacks as “critically damaging,” and about 20 percent of schools were unable to recover immediately, with 4 percent taking more than half a term to get back to normal.
The survey also revealed that 33 percent of secondary teachers had not received any cyber-security training this year, further highlighting the need for increased awareness and preparation for such threats in the education sector.
Cyber fraud and scams targeting schools have become an increasing concern in the UK in recent years, with numerous high-profile incidents reported. Here are a few notable cases:
- Hackney Education (2020)
Hackney Education, which supports schools in the London borough of Hackney, was targeted by a cyber-attack where fraudsters used phishing techniques to compromise email accounts. The attackers were able to send fake payment instructions to schools, resulting in a significant financial loss. This scam highlighted the risks posed by email account compromises in schools. - Lancashire County Council (2019)
In 2019, Lancashire County Council was targeted by a cyber fraud ring that posed as legitimate suppliers to various schools. The scammers altered bank account details for construction services and managed to divert large sums of money before being discovered. As a result, several schools in the area were defrauded. - Bournemouth University (2020)
Bournemouth University was one of the victims of a sophisticated cyber fraud scheme, where scammers posed as suppliers of software and other services. The fraudsters tricked the university into making payments to fraudulent bank accounts, claiming to be affiliated vendors. - Manchester Schools Cyber-Attack (2020)
A cyber-attack on several schools in Manchester saw data breaches and financial frauds take place. The cybercriminals targeted email systems and used phishing attacks to redirect payments meant for school activities and projects. This attack raised awareness of the vulnerabilities in school payment systems. - West Sussex Schools Cyber Fraud (2018)
In West Sussex, several schools were affected by a cyber scam involving fake invoices for IT equipment. The fraudsters hacked into the schools’ email accounts and used their legitimate communication channels to issue false invoices for tech purchases. The scam resulted in losses of thousands of pounds. - UK Primary School Phishing Scam (2021)
A primary school in the UK fell victim to a phishing scam in 2021, where staff members were targeted by cybercriminals impersonating the school’s headteacher. The scammers requested urgent transfers of funds for supposed emergency costs. The fraudsters managed to deceive school administrators into making a payment before the scam was identified.
These incidents are part of a broader trend of rising cybercrime targeting schools, particularly through phishing, email tampering, and fraudulent invoicing schemes. The UK education sector has become a frequent target for cybercriminals due to the increasing reliance on digital communication and payments within schools.
Ofqual Fines Pearson £250,000 for Breaching Exam Confidentiality
