As quoted in:
De La Rose, Shawna, and Modan, Naaz. “Texas district loses $2.3M to phishing scam.” Education Dive. 14 January 2020.
“While schools are increasingly becoming victim to cybercrime, scams involving this large amount of money is not something Doug Levin, a K-12 cybersecurity expert, said he ‘sees everyday.’ However, Levin points out that the nature of this specific phishing attack ‘has been repeated at school districts across the country and has been ongoing for years.’
‘It has resulted in some of the single largest-dollar-value scams affecting school districts,’ Levin told Education Dive, adding he has recorded at least a dozen similar attacks in his database since 2016, including a recent $3.7 million scam targeting Scott County Schools in Kentucky. ‘The pattern seems nearly identical.’
In those cases, large deals between school districts and vendors were targeted by scams specifically engineered to change bank routing information.”
While school districts have a limited ability to shield the value of contracts and the names of contractors with whom they are working, they need to implement controls to guard against unauthorized changes to bank account routing information. The single best safeguard for these type of attacks is to use an out-of-band communication channel to verify requests to change bank routing information. It may also be helpful to force school business staff to rely on multi-factor authentication to log-in to sensitive IT systems, including business email and financial/accounting systems.