View from the desk
Marina Khan, Founder and General Manager of Intellect Consulting Educational Agency in Kazakhstan
Marina Khan

This week, Marina Khan, Founder and General Manager of Intellect Consulting Educational Agency in Kazakhstan, gives a warning to the study travel industry about web security threats and fraud.

Cybercrime: Industry alert!


One day recently, three events happened in quick succession which made me want to be heard by the wider professional society.


In the morning, an email from Norton that said, "Security Alert: KRACK attacks put all devices and all wi-fi connections at risk";Then, a phone call from a client wondering why a school was asking him to pay an invoice, which he paid two weeks earlier; and finally, in the evening a private email from my son's school addressed "Social Media Concerns". The information within, sourced by the school from Thames Valley Police, asked parents to check their children's social media activities and block two profiles for safeguarding reasons. 


It is blatantly obvious that no one in the modern era can afford to think of themselves as absolutely safe. The comfort of instantaneous sharing and a nexus of information, such as the cloud, have backfired to the extent that we have lost control over our information. Credit cards, addresses and personal information are literally 'up for grabs' in a digital world controlled by the few with the right knowledge to take everything. 


During the last half-year the frequency of cyber-attacks in international education has increased, the reports coming in from different sources. With increasing prevalence I hear of these cases from colleagues, agencies and school representatives. However two things shine through the fog and mystery surrounding these cases: 1. No one is safe; and 2. The most common offence is fraudulent bank accounts. The way this works is the hackers gain access to company servers and send an email, either pretending to be the agent or the school. Contained within the email is a bank account number and once the victim transfers funds to that account it is then swiftly closed and the money withdrawn. Unfortunately no one is raising concern about this and no one is attempting to find a solution to what is potentially is an industry-threatening problem.


In detail the problem looks like the following:  criminal elements understand the chain of events and the interactions this industry is based on very well (agent - school - client) and hence skilfully use this to syphon off funds.


Scheme 1. The original invoices, which the school sends, are intercepted and altered. Consequently, the agents and parents receive an invoice which looks genuine and authentic but contain adjusted bank details. These changes are almost undetectable and can sometimes consist of only a few numbers making it hard to distinguish between false and real. The parents pay and the representatives of the criminal enterprise withdraw the money and close the account. The school never receives the money.


Scheme 2. The original invoices, sent by the agent to receive a commission, are intercepted and changed. The school pays and then the same scheme applies; one representative of the criminal enterprise withdraws the money and closes the account. In the end the agent never receives the commission.


Over the last month alone we have had three such cases in our agency:

- Parents paid a yearly fee to an American school.

- The school returned the deposit to the student who had stopped going there.

- Parents paid a yearly fee for a school in Europe.


As you can guess, the real beneficiary never got their funds.


The thing which always strikes me is that in all three cases the criminal enterprises used accounts in reputable and established banks: Bank of America and Lloyds Bank.


Another fact - in all three cases to receive the money from these fake accounts, the criminals used the names of the schools. This means that the fake accounts were opened in the school's name, but with very small changes.


The formal answer to the problem looks simple: if the school doesn't receive payment then the child can't continue to be educated there.


Deeper analysis of the issue, however, reveals other factors:

- The returning of a student home in the middle of an academic year is an automatic loss of that whole year. The systems and curriculums are different and the courses and programmes do not coincide. Hence the student cannot get a qualification.

- The parents, who need to pay for their children's education in time, basically are doing their obligations: they pay on an account that has the school name, to a bank that is in the same country as the school. They do this only to receive an email weeks later saying, "Where is your payment?"

- The agent who, naturally, in the ensuing situation sympathises with the parents and understands their perplexity, understands the schools as well, who quite rightly, want to get paid. However, the agent can help no one!


Unfortunately, neither 20 plus years of experience, nor a Study Travel Star Award can protect from these situations and cannot help either the parents or the schools with their stolen assets.


However, I am sure that to uniting forces can and would help.

I suggest:

- To organise a hot line through which schools and agencies can inform each other about cases of cybercrime.

- Help agencies get information about how they can give help to their clients who have fallen victim to these crimes. This could help initiate an investigation in the banks where accounts of a criminal nature have been opened and to which money has been transferred. Unfortunately, the banks in my home country have proven helpless and some of them don't even having a department to deal with this problem. Assistance is required from countries which have an advanced and well-established banking structure. 

- Create a pot/fund for helping students who have suffered from these crimes. In those three cases, that I have talked about earlier, we did not ask for a commission. An agency is a much smaller operation than a school and not receiving a commission is our contribution to the victims.


I was already finishing writing when I saw a notification on the screen: "the largest Russian news agency Interfax has just fallen victim to an unprecedented cyber-attack, engineers are looking for a solution".


I would like to start an open conversation within our industry and call upon all those who have either been affected or who have found a solution. The industry as a whole needs to turn its attention to this problem before it is too late.


Marina Khan is Founder and General Manager of Intellect Consulting Educational Agency in Kazakhstan.