Whilst every effort is made to ensure that the material contained within all Derbyshire audit services' alerts is reliable, no representation is made that information is accurate or that legal or other guidance contained is correct.
Derbyshire audit services does not accept responsibility for any liabilities, losses or damages as a result of persons having relied upon the information provided. Any organisation should seek their own legal or professional advice where necessary in relation to any information contained in an alert.
We are aware of an increase in spam emails being received by schools since the beginning of April 2017. These include emails which sometimes appear to be from a Derbyshire County Council source such as SchoolSAP and tend to contain what looks like legitimate information about O2, Vodafone and UPS accounts.
The document attached to this page explains how to spot the emails and the action that should be taken to remove them.
Agora Business invoices
Derbyshire schools are being approached by cold callers purporting to work for an organisation called Health and Safety for Schools and Colleges.
The caller requests to speak to the individual responsible for health and safety at the school and subsequently offers a 'free' health and safety newsletter as part of a launch offer. This newsletter is described as an eight page document covering aspects of health and safety such as accident prevention and safeguarding for students.
Although this offer is initially described as 'free', schools have reported receiving quarterly invoices from Agora Business for continued receipt of a monthly publication at a cost of £98.98.
Following receipt of the invoice one school challenged the company as they had no record of this agreement being made, at which point Agora Business provided the school with a recording of the cold call evidencing acceptance of the free trial by a school staff member. Although the free trial was accepted, it was not until the end of the call that the Health and Safety for Schools and Colleges representative briefly indicated that a subscription would continue thereafter.
Schools are advised that caution should be exercised when accepting any goods or services described as 'free' to ensure that engagement with potentially sharp business practices are avoided. Further instances of schools receiving invoices from Agora Business or similar companies should be promptly reported to audit services.
Scam emails from Hedley and Ellis Ltd
We have been contacted by a number of Derbyshire schools in receipt of an email purporting to originate from Hedley and Ellis Ltd.
The email thanks the recipient for a recent payment and advises that copies of outstanding invoices are provided within the zip file attached. Hedley and Ellis Ltd have formally advised that they are not responsible for sending these emails and confirmed that the police are now involved.
As with all instances of unsolicited emails, staff are reminded not to open attachments due to the risk of potential virus or ransomware attacks. Should school staff receive similar correspondence, the email should be deleted immediately and the sender blocked.
Schools Freedom of Information requests
Audit services have recently been contacted by a number of Derbyshire schools in relation to a Freedom of Information request received by email. The request appears to originate from an unmonitored email address and encourages recipients to submit data through the use of an embedded link, signified by the phrase 'Click Here To Submit Your Response'.
Due to the increasing number of virus and cyber-attacks triggered through the execution of attachments and links contained within emails of unknown origin, a significant risk may be posed to PCs and networks should malware or viruses be inadvertently downloaded onto equipment.
In accordance with previous cyber security guidance, audit services continue to advise that staff should not utilise embedded links to access unknown websites or systems. It is generally recommended that unsolicited emails are immediately deleted. However, emails containing Freedom of Information (FOI) requests impose statutory requirements on schools.
To adhere to legislation surrounding such requests, whilst maintaining online security, schools may wish to seek an alternative method of submission from the applicant.
Although in some instances the only email address provided appears to be unmonitored, by seeking a secure means of providing the data or sending the FOI response to that email address, schools may be able to demonstrate to the Information Commissioner's Officer (in the event of a complaint that the FOI request was not responded to) that reasonable steps have been taken to address the request and deliver the information appropriately.
Should schools require further information or advice, please contact audit services.
Online Office Supplies Ltd
Following a query received by audit services, a number of Derbyshire schools who had purchased from Online Office Supplies Ltd were contacted to verify the veracity and accuracy of invoices issued by this supplier.
Based on the information gathered, it was apparent that a number of schools had been overcharged for purchases made. However, it was confirmed during audit service's investigations that many such invoices had already been processed and paid by schools.
Schools are reminded that invoices should not be passed for payment without appropriate checks being undertaken. These include confirmation of quantities ordered, quantities delivered and the prices charged. Any discrepancies must be promptly identified and raised with this supplier immediately.
Where schools continue to order from Online Office Supplies Ltd, particular care should be demonstrated in validating the invoices received against the original orders raised. Continued confirmation that best value is being achieved should also be established.
If schools encounter discrepancies or disputes when transacting with this supplier, audit services should be contacted for information and advice.
School staff are reminded that orders for goods and services should be generated through OrderPoint wherever possible.
Official purchase orders should be raised with documented approval obtained from an authorised officer prior to placement. Observance of the documented procurement procedures will help ensure that all invoices processed, accurately reflect only the goods and services ordered and received by the school.
Audit services periodically receive reports that Derbyshire schools are in receipt of unsolicited invoices submitted by fraudulent or unscrupulous suppliers. These invoices are often tailored to include the name of the head teacher along with a fictitious order number for the supposed purchase of curriculum related resources, although no goods are ever received.
These unsolicited invoices are easily identifiable by schools with robust procurement procedures as no accompanying orders can be located. Historically there have been instances where such invoices have been processed and paid by Derbyshire schools indicating poor ordering and goods receipting processes.
An example of a recent unsolicited invoice from the company 'Making Changes', received by at least two Derbyshire schools, has been provided on this page for your reference. In both instances the schools confirmed that the supplier was unknown to them and that no such goods had been received.