While many of us are becoming better at recognising suspicious emails and avoiding harmful links, scammers are also evolving their methods for stealing money from organisations. Unfortunately, early childhood education and care services are not exempt from these sophisticated attacks.
Below are two examples of recent attacks experienced by a community-managed long day care service, and tips on how you can avoid it happening to you.
Attack #1
In the first attack, the service received emails from an employee who was on leave for a Work Cover claim. There was ongoing correspondence between the service and the employee over several weeks, during which the employee requested that the owed payment be made to a different bank account than the one previously used.
The service paid the money into the new account. The bank then contacted the long day care service after noticing something unusual. At that point, the director texted the employee to confirm the payment had been made and to seek confirmation it was received. The employee responded that no money had been received. It was later discovered that the payment had been made to a cybercriminal’s account. The service is still awaiting confirmation on whether the money can be recovered, and the matter has been referred to the Federal Police.
How hackers intercepted the communication
Hackers had been monitoring the email exchange between the long day care service and the employee. They then created an email address that looked very similar to the original email address and continued the communication, impersonating the employee, to advise of the new, fake bank account.
Attack #2
In the second incident, the service had been corresponding with a landscaper regarding upgrades to their outdoor environment. Once again, cybercriminals had been monitoring the email exchange. Using a nearly identical email address, they fabricated communications between the landscaper and the service. This even included a fake email from the director, urging the landscaper to expedite the design and invoice, to which the landscaper promptly responded!
The cybercriminal, pretending to be the landscaper, then issued the invoice. Cautious after the previous cyber theft involving work cover, the service paid only a deposit, with the rest promised for later. However, it soon became clear that the landscaper had not received the payment—it had been sent to the cybercriminal instead.
How hackers intercepted the communication
As in the first attack, the cybercriminal monitored the email exchange and created similar-looking emails to take over the correspondence. The invoice issued contained payment details for the cybercriminal’s account instead of the landscaper's.
The service was the victim of a 'man-in-the-middle' cybercrime. A man-in-the-middle attack occurs when an attacker secretly intercepts and alters communications between two parties who believe they are directly communicating with each other.
This type of attack is initiated by the cybercriminal gaining access to the email account of the long day care service or its correspondent. The attacker then impersonates the parties involved using a fake but similar email, tricking them into making payments to the cybercriminal's bank account.
How the service could have prevented this, and what your service can do to protect itself
There were two key factors that allowed the cybercriminals to commit this crime:
1. The cybercriminals were able to access the email account details of the long day care service.
2. The service relied solely on email for verifying bank details, without double-checking through an external communication channel.
To address the first issue, services can protect their email accounts by:
- Avoiding the use of free public Wi-Fi when accessing email or other sensitive apps requiring passwords.
- Ensuring passwords are difficult to guess, securely stored, and updated regularly.
- Enabling multi-factor authentication for email accounts.
To address the second issue, the person responsible for payments at the service should call the employee or landscaper before processing any payments. New suppliers should always be contacted by phone to verify bank details, and if an existing supplier signals a change in bank details via email, a phone call should be made to confirm.
It’s crucial to use a phone number found on an external source, such as a website, rather than relying on contact details within the email itself.
Further information
The Australian Signals Directorate provides helpful information on how to protect yourself and your organisation from cybercrime, and what to do if your accounts are compromised.
About CELA
Community Early Learning Australia is a not for profit organisation with a focus on amplifying the value of early learning for every child across Australia - representing our members and uniting our sector as a force for quality education and care.