You are here:
How to protect your trust against payment fraud
Learn about what phishing is, what to look out for and how to avoid it in your trust. Create a process for paying invoices and use our template to collect new supplier information.
Phishing is a cyber crime where you're targeted via email, telephone or text message. Someone masquerades as a legitimate institution or person to lure you into providing sensitive data such as:
- Personally identifiable information
- Banking or credit card details
They then use the information to access important accounts and this can result in identity theft or financial loss.
Red flags to look out for
Check for these common things that will help you and your colleagues spot an illegitimate email:
- Is the greeting personal? A genuine email will usually address you by name
- Is the message from someone you know but their email address is different? You might receive an email where the name is the same as your friend's but the actual email address is different - look out for these inconsistencies
- Check the grammar and spelling. Sloppy spelling mistakes are a big giveaway (e.g. Pl3ase instead of please)
- Be wary of links in an email - especially if the link takes you to a page where you have to login with your email address and password. Most companies won't ask you to enter your personal details via an emailed link, if you're at all unsure, don't open the link
- Are they pushing you to act? Don't rush to act, even if the email uses alarming wording like "act fast or risk your money being taken"
- Are they threatening to close your bank account? No bank will close your account without you asking them to
- Is there a prize? Unfortunately, you can't win a prize to a competition you haven't entered - don't fall for it
How to avoid phishing scams
- Keep yourself informed. Stay on top of new phishing techniques, you can visit phishing.org to learn about all the newest phishing scams
- Install an anti-phishing toolbar. Most popular browsers can be customised with these. For example Google Chrome offers Netcraft, a free extension to protect your browser
- Verify a site's security before making any purchases. Make sure that the site begins with https and has a 'closed lock' icon near the address bar
- Check your online accounts regularly. Even if you don't need to, check them and get into the habit of changing your passwords too
- Activate 2-step verification on your online accounts. Many email providers offer more secure login where you enter a password and then a code gets sent to your mobile phone which then gives you access to your account
- Keep your browser up to date. Browsers add security patches regularly, so it's good to update when you see a new version
- Use a firewall. Installing a firewall reduces the chance odds of a hacker accessing your computer
- Use antivirus software. It'll scan every file which comes through the Internet to your computer. It helps to prevent damage to your system. Remember to keep your software up to date
Create a secure process for paying invoices
In order to protect your school from payment fraud, it's important to have a clear process for paying invoices.
When you receive an invoice from a supplier:
- Check if you're expecting one from the supplier
- Double check the details such as address and bank details
- Look for signs of legitimacy (e.g. logo or headed paper)
- Consider having a school leader sign off all invoices before payment
If a regular supplier sends an invoice or email with updated details (e.g. bank details) call them to confirm the invoice or the email. They won't have a problem with you checking this.
Send new suppliers the request form below. If possible, call them to confirm details to add an extra level of security.
Download our new supplier request form
Consider sending this form to all your suppliers if you've never done this. That way you'll have an up-to-date database of your supplier details.
Share this cheat sheet with your staff
You can put this up in your office or send it to staff across the trust.
For this piece we consulted our in-house financial controller and chief technology officer.
The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence v3.0.