In a live incident?
If you are currently experiencing a business email compromise incident, start following your cyber response plan immediately.
Contact your IT provider for support or reach out to the Risk Protection Agreement (RPA) if you are a member.
If you can’t access your cyber response plan, or you don’t have one, follow these instructions. However, you should adjust them to best fit your school.
Immediate actions
Start following your cyber response plan.
Notify your SLT digital lead, incident lead and safeguarding lead (if applicable).
Contact your IT team or IT service provider, the Risk Protection Agreement (RPA) if you are a member, or your insurance provider (who may assist depending on your agreement).
If you have been financially impacted, contact your bank directly through their official website or phone number.
Report the attack as a crime to Report Fraud if you have identified a fraudulent payment.
Contact ICO if there is data breach.
Isolate compromised accounts. Restrict the ability to send emails to prevent further spread and ensure email forwarding has not been set up.
Restrict any additional account privileges. If possible, forcibly sign out of or end all log on sessions. If the account has multi-factor authentication in place, ensure no new, unauthorised methods have been added. Reset the password and authentication on any associated accounts.
Check financial systems and data (such as payroll and HR) for any changes to:
- administrative accounts
- user payroll information
- payment amounts
Check that any accounts with key privileges are secure and not compromised. Audit account access and verify only the legitimate user has access to their account.