Fraud and Security Risk in Schools: New survey report now available
Schools run on trust. Trust between staff and leadership, trust between schools and families, trust between finance teams and suppliers and increasingly, trust in the systems and workflows that sit behind approvals, invoices, payments, reporting and recovery.
That trust matters. But it also creates pressure points.
Alii’s new Fraud and Security Risk in Schools report shares findings from a survey of 553 school leaders across Australia, New Zealand, the UK and the US. It gives school finance, operations and IT leaders a practical view of where fraud and security risk is showing up, why stronger controls are now a governance issue as much as a systems issue, and what more consistent, repeatable control can look like in practice.
This is not a report designed to alarm. It is designed to clarify.
Why this report matters
Fraud and security risk in schools is no longer something leaders can treat as isolated, rare or primarily technical.
The survey findings show that exposure is already widespread and that many of the biggest vulnerabilities sit in ordinary day to day workflows, including approvals, supplier changes, invoice processing, payment verification, audit visibility and recovery readiness. These are not edge cases. They are operational realities.
That is part of what makes the findings so relevant. The issue is not a lack of awareness. School leaders are already highly aware that phishing, impersonation, supplier fraud and ransomware are real risks. The challenge is turning that awareness into operational discipline that holds up under pressure.
What the report covers
The report explores:
· where fraud and security risk is landing most often in schools
· what leaders see as the biggest risks heading into 2026
· how human factors, manual handling and unclear ownership continue to create exposure
· why visibility into audits, monitoring and recovery matters just as much as having controls on paper
· what stronger operational consistency can look like across approvals, supplier changes and payment workflows
· where a more structured workflow and clearer audit trail can help reduce manual risk
It is written for school leaders who need a practical, plain-language view of the issue, especially those responsible for governance, finance, operations and IT.
Topline findings from the survey
A few findings stand out immediately.
75.4% of schools reported confirmed or suspected fraud attempts. That alone should reset the conversation. Fraud is not a remote possibility for schools. It is part of the operating environment.
43.8% said they had detected and stopped fraud activity. That is encouraging, but it also points to active and repeated targeting.
9.0% experienced financial or data loss and 11.4% reported paying a fraudulent invoice. Those numbers make it clear that awareness and vigilance, while important, are not enough on their own. Controls have to work in real operating conditions, not just in theory.
The report also highlights some significant visibility gaps. 37.4% do not know when their last security audit occurred. 34.2% are unsure whether a designated fraud or data protection owner exists. Only 15% regularly test recovery plans.
That combination matters. If leaders cannot clearly see when controls were tested, who owns the risk, or whether recovery has been validated, the issue is no longer awareness. It is visibility, accountability and proof.
What school leaders are most concerned about next
There is also near universal awareness of where risk is heading. Respondents identified the most pressing risks heading into 2026 as phishing and impersonation scams, invoice or supplier fraud, AI-generated impersonation attempts, and ransomware and extortion attacks.
The message is clear. Leaders already understand the direction of travel. The real question is what changes operationally in response.
What these findings point to
One of the strongest themes in the report is that fraud risk in education is structural, not episodic.
Schools are not being targeted because they are poorly run. They are being targeted because they are busy, trusted and human. In many school environments, finance work is interruption-heavy, approvals are decentralised, supplier communication still happens heavily over email and processes can depend too much on memory, habit or manual checking.
That is why stronger controls need to be practical and repeatable.
In the report, we explore what that looks like in more detail, including non-negotiables in payment workflows, clearer ownership and escalation, role-based training and safe reporting culture, better visibility across audits, monitoring and workflow activity, and recovery validation rather than assumed readiness.
The goal is not maximum friction. It is consistent control that still holds when people are under pressure, covering for someone else, or making decisions quickly.
Watch the webinar for the topline findings and practical workflow takeaways
To support the report launch, Alii also hosted the Fraud and Security Risk in Schools Lunch & Learn webinar.
In the session, Daryll Holland, Head of Technology and Information Security at Alii, unpacked the topline survey findings and what they mean for school finance, operations and governance leaders.
Daryll brings deep experience across privacy, governance, risk management and IT strategy, with a practical, people-focused perspective shaped by leadership roles across the public and private sectors, including within a global ASX 100 education environment.
The webinar also featured Carolyn Clancy, Solutions Manager at Alii, who walked through the practical workflow side of the discussion and how stronger controls can be supported in day to day approvals, supplier changes, invoice verification and audit trail processes.
If you want a concise overview of the findings and a practical discussion of what stronger workflow discipline can look like, the webinar is the best place to start.
Download the full report
The blog only covers the topline picture.
The full report goes deeper into respondent profile and methodology, expanded survey findings, cross-analysis observations, governance and strategic implications, practical guidance for schools, a phased implementation roadmap, and what the findings mean for Boards, executive teams, finance leaders and IT leaders.
If you are reviewing controls, preparing for your next audit cycle, thinking about workflow risk, or looking at where manual handling may still be creating unnecessary exposure, the report is well worth a read.
Want to talk through your current workflow?
If your school is reviewing approvals, supplier verification, invoice processing, audit trail or recovery readiness, we are always happy to have a practical conversation.
.svg)
