Kyanite Blue
Threat Intelligence

Business Email Compromise and Invoice Fraud Targeting Schools and Multi-Academy Trusts

Business email compromise (BEC) — where attackers use compromised or spoofed email accounts to redirect payments, harvest credentials, or commit fraud — is an increasing threat to UK schools and multi-academy trusts. Finance officers processing supplier payments, payroll, and contractor invoices are specifically targeted. Attackers impersonate headteachers, finance directors, or trusted suppliers to request urgent payment changes. The financial impact on schools — which operate on tight budgets with limited reserves — can be devastating. MAT finance teams processing payments across multiple schools are particularly high-value targets.

UK schools and MATs have lost tens of thousands of pounds to BEC fraud — finance officers are targeted with urgent payment requests impersonating senior leaders and suppliers.

How BEC Attacks Target Schools

BEC attacks on schools follow recognisable patterns:

  • CEO/headteacher impersonation: email appearing to come from the headteacher requesting urgent supplier payment
  • Supplier impersonation: email appearing to come from a contractor or EdTech vendor requesting bank account change for next payment
  • Compromised account fraud: attacker gains access to a real staff email account and uses it to make fraudulent requests
  • Invoice manipulation: legitimate invoice PDF modified with attacker's bank details
  • Payroll fraud: request to change a staff member's bank account details for payroll

Why Schools Are Vulnerable to BEC

Several factors make schools particularly vulnerable to BEC attacks. Finance functions are often small — one or two staff handling all financial transactions — limiting the opportunity for segregation of duties and dual authorisation. Headteacher authority is significant, meaning requests appearing to come from senior leaders carry weight. Supplier relationships may involve infrequent payments where changed bank details go unquestioned. MATs processing centralised payments across many schools create high-value targets — a successful attack on a MAT finance function could redirect payments totalling hundreds of thousands of pounds.

Prevention: Controls That Stop BEC

The controls that most effectively prevent BEC losses in education are:

  • Dual authorisation for all payments above a threshold — no single person can authorise significant payments
  • Phone verification: call a known number (not one from the requesting email) to verify any bank account change
  • MFA on all email accounts — prevents attacker access to accounts used to send fraudulent requests
  • Email authentication (DMARC, DKIM, SPF) — prevents spoofing of the school's own domain
  • Staff training: finance staff should know the signs of BEC and follow verification procedures
  • Clear payment procedures: documented process that does not allow exceptions for "urgent" requests

What to Do If Your School Has Been a BEC Victim

If a fraudulent payment has been made, act immediately. Contact your bank to request a payment recall — speed is critical, as funds may be moved quickly. Report to Action Fraud (0300 123 2040) and request a crime reference number. Notify your insurance provider. If email accounts have been compromised, reset passwords and enable MFA. Document all actions for potential ICO notification and insurance claim. The National Fraud Intelligence Bureau can sometimes facilitate payment recovery through banking relationships if alerted quickly.

Frequently Asked Questions

How can a school tell if an email is a BEC attempt?

Warning signs include: an unusual request for payment or bank account change; urgency or pressure to act quickly; a request to bypass normal procedures; email address that looks similar to but is not exactly the real address; or a request from a senior leader that is out of character. Any payment instruction or bank account change request should be verified by calling the person on a known phone number — never use contact details from the suspicious email.

Can schools recover money lost to BEC fraud?

Recovery is possible but not guaranteed. The faster you act, the better the chance of recovery. Contact your bank immediately to request a payment recall. Report to Action Fraud. If you have cyber or crime insurance, the policy may cover the loss. UK banks have a voluntary code (the Authorised Push Payment Fraud code) that may provide some reimbursement — though schools (as business customers) have different protections from consumers.

Is BEC covered by school cyber insurance?

Coverage varies by policy. Some cyber insurance policies cover social engineering fraud (which includes BEC) as a specific extension — check your policy wording carefully. Standard crime insurance may also provide coverage. Schools should review their insurance arrangements with their broker to ensure BEC/social engineering losses are covered, and understand any conditions (such as dual authorisation requirements) that must be in place for a claim to succeed.

Protect your school's finance function from BEC fraud

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Coro

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides