Newcastle Royal Grammar School has been targeted with a phishing attack in which fraudulent emails sent from a school account email offered parents a 25% discount on fees for paying quickly via the Bitcoin cryptocurrency.
Emails which included spelling, grammatical and punctuation errors were sent from the address of the school bursar, who is responsible for fees. The school reported the attack to the police and the Information Commissioner’s Office (ICO), as required under GDPR. The school is also working with the company which provides its email systems, iSAMS, to establish exactly what happened.
The ICO has said that while it will assess the phishing scam as per the information provided, it is also aware of “other phishing type attacks that have been targeted towards schools”.
Any organisation dealing with sensitive personal information, including schools and universities, is at a higher risk of being targeted. The NCSC has published 15 good practice measures for the protection of bulk personal data.
Royal Grammar School has made clear that it would never ask for money or bank details in this way. In order to mitigate the risk of phishing attacks, people should be vigilant around any message that purports to be from an organisation they deal with – whether schools, banks or businesses. This is particularly important when emails ask for personal information, banking details or contains unexpected mistakes, attachments or links.