Article by Angela Nielsen, FACTS
Families trust their schools with a great deal of sensitive information. Those details can include their home address, medical records and financial information. A school office has locks for the doors, safes for sensitive paperwork, and secure networks to store and manage digital information. But as school employees moved operations out of the school office and infrastructure and into their homes, new security challenges arose.
Fraud and Risk in a Digital World
According to Bitdefender, malicious attacks on stores of personal and financial data increased by 475% in March 2020, with education and research in the top ten affected industries. These attacks can take the form of phishing emails that appear to be coming from organizations like World Health Organization, which we rely on to keep us informed and provide us with guidance.
These attacks can take the form of phishing emails that appear to be coming from organizations like World Health Organization, which we rely on to keep us informed and provide us with guidance.
Financial fraudsters are constantly changing their focus. In the card space, point of sale (POS) devices have become more secure as chip readers and contactless payments have become available, tightening security of in-person payments. And as consumers are shifting increasingly to online commerce, fraudsters have shifted their energies as well. American consumers have long been moving their buying and financial activities online, and COVID-19 has accelerated this trend, pushing the “digital shift” ahead of previous projections and highlighting the importance of securing financial data collected and stored online (see sidebar for more).
Now that schools’ relationships with families have tipped heavier than ever into the digital realm, school operations teams have the responsibility of keeping their data secure. Schools can take several basic steps to maintain their status of trusted stewards of families’ data, and avoid fraud and the reputational risk that comes with it.
Where Is Financial Data Held?
Certain types of information are considered a “key” to transacting on peoples’ accounts: routing and account numbers and the primary account number (PAN) and expiration date of a card. Ideally, this information can stay out of a school’s data ecosystem and be handled in secure platforms. If your school does hold this kind of data, it’s important to understand where this data exists across your school, and how it is handled. For example, checks contain the routing and account number for a bank account. Anywhere this information is visible puts the account holders’ data at risk since this can be used to initiate ACH transactions.
Fraudsters thrive in chaos. Exceptions to rules and norms abound in the age of COVID-19, but make sure you discuss new or revised procedures with your coworkers to protect your assets and the security of your school and school families.
To mitigate this risk, have checks sent to a secure lockbox or handled by a trusted staff member in a secure place. If checks are housed at someone’s home, make sure you have a policy they’ve agreed to for safe handling of checks. This can be important for both family account and school account information. Most schools enforce debit blocks on their own accounts to stop unknown parties from drawing on their account. With fraudsters being overly active these days, it may be a good idea to revisit who has access to your school’s bank account. Make sure your website does not list your wire number to curb wire fraud.
For credit cards, the primary account number (PAN), expiration date, and CVV should not be written down. While this may seem like common sense, in lieu of in-person interactions, you may be interacting with parents over the phone and collecting information in this manner. Rather than writing these numbers down, they should be input directly into a secure device or consumers should be directed to enter their information directly into a secure system. The Payment Card Industry Data Security Standards Council has resources and guidance available to you to help manage this information.
If this information must be written down, it is important that it is destroyed as quickly as possible. Keeping family financial data in files or written down may seem like a convenience for a family so they will not have to provide information multiple times, but the risk it poses far outweighs the convenience. A compromised card will require a consumer to cancel and wait for a new card to be issued, and a compromised bank account requires closure of that depository account and for a whole new account to be created.
Security in Any Environment
Schools invest significantly in network security and firewalls. While school employees are working from home, keeping family data safe requires protocols for home networks, including making sure employees aren’t using the default password for their routers or WiFi networks. If possible, using a VPN or separate network can provide the most security, especially where home networks are often connected to unsecure devices attached to the “Internet of Things” like smart speakers, thermostats and other appliances and devices.
Make sure access to all systems are through strong, complex passwords and that passwords aren’t written down or reused. Also, make sure that when employees take and post pictures of their work station to social media, for example, that they don’t have credentials or other sensitive information in plain sight where a fraudster could access it with image enhancing technology.
Point of Sale machines are often left vulnerable because default passwords are not changed. Whether in or out of the office, changing these passwords is an important best practice to keep card data secure.
As employees move back into the office, make sure any extra access you may have granted to different systems to provide backup is rolled back in line with how you are doing business.
Talk to your business partners; many schools rely on third parties to help manage financial data for both payables and receivables. Reach out to these partners and ensure their processes and procedures are safe and secure.
Refunds and Business Email Compromise
Interrupted programs may have led to an increase in refunds during COVID-19. When receiving requests for refunds, make sure you are certain of the recipient. Double- and triple-check email addresses to ensure that the sender is known to you. Scammers will often mimic an email address with one character or letter being different. Be wary of requests that express extreme emergency. If the scenario feels off, trust your gut and find another point of contact to verify the request.
Aside from refunds on family accounts, watch out for any of your vendor/partner relationships that send you updated account information or urgent emails from executive management requesting payments in a hurry. Have procedures in place for changes to payables accounts and for emergency payments. A sample procedure could require that an email and phone call has occurred so you can confirm the request is valid. Fraudsters thrive in chaos. Exceptions to rules and norms abound in the age of COVID-19, but make sure you discuss these procedures with your coworkers to protect your assets and the security of your school and school families.
Digital and remote operations are the way of the future. Keeping security and good data management front of mind can help you provide modern conveniences to your families and office staff while preventing the likelihood of a security breach or loss of data integrity. Know what data is sensitive, where it exists, and how it is handled. Review or create policies to provide your school with a framework to manage network security and access to various systems across your school. Discuss procedures for disbursing monies to families or other partners of vendors. Awareness and planning can go a long way in the fight against fraud.