“Imagine your university is a fortress…” An unlikely comparison to kick off Flywire’s Payment Security & Compliance Conference 2025 but, given the threat landscape, it’s a relevant one. With 91% of UK higher education institutions experiencing a cybersecurity attack in 2024, and an expected £4.1 billion flowing through university bank accounts this year, the sector remains a prime target for bad actors.
In the face of these threats, Flywire’s SVP of Education, Simon Read urged attendees to take the necessary steps to strengthen their institutions’ defences, and “provide their students safe passage” into higher education. Implementing robust payment security and governance, he went on to say, “would help close the doors criminals would try to use to gain access” to students’ hard earned cash.
That cyber attacks will continue, and only get more sophisticated, was the consensus among conference attendees. But, after two days of interactive workshops and insight-filled plenary sessions, over 110 attendees left with a little more insight into the risk landscape, their adversaries and steps they could take to fortify their institution’s defences.
Here are the key takeaways.
1. Simplify to secure and break down internal silos to thwart bad actors
“In the face of complex and persistent threats, complexity is not a defence. It’s a hiding place for risk,” Read proclaimed. Complexity creates more holes that can be exploited, making it harder for institutions to manage risks effectively. The solution? Simplification and robust collaboration.
Descoping is a proven strategy for simplifying the payment card environment and achieving PCI DSS compliance. Numerous speakers across the two-day event attested to its effectiveness, as well as the importance of engaging stakeholders across the university to build an effective holistic fraud protection framework. Neil Favager from the University of Leeds described how moving just 3% of their payments (representing a staggering 50% of their total income) to Flywire, reduced the university’s payment security scope significantly.
“We’re educators, not payment security people,” Favager exclaimed, “Why would we want to manage the security of payments? Putting as many payments through a provider like Flywire, letting them manage those payments, just makes sense.” Descoping, Favager also asserted, makes achieving and maintaining compliance easier, because “it makes the job of holding people accountable smaller.”
In his closing keynote address, investigative journalist Geoff White, urged the audience to break down the silos that exist in their institutions. After all, he explained, organised crime is made up of networks, all servicing each other like cogs in a watch. This makes them extremely effective. Unfortunately, higher education institutions tend to be quite fragmented, and criminals will exploit any gaps that fragmentation creates. White also highlighted a critical lesson from organised crime: "If you can't launder the proceeds, don't do the crime". This underscores the immense importance of robust AML (Anti-Money Laundering) measures, as without effective money laundering, many physical crimes become unprofitable.
2. Employ tech-driven defenses, leveraging data and AI to outmaneuver fraudsters
While fortifying internal processes and breaking down silos are crucial, a modern university fortress also demands sophisticated, tech-driven defences. What’s more, simply reacting to threats is no longer enough; institutions must be proactive and embrace "anticipatory governance" – foresight to tackle the next problem, not just the current one.
Crucially, Heather Lowrie, Founder of Resilionix Limited urged attendees to view AI not just as a threat, but as a powerful tool to enhance proactive risk mitigation. This sentiment was echoed by Flywire’s Adrian Muller, Flywire’s Compliance Director, who explained how Flywire leverages advanced technology to protect clients from fraud. Muller detailed how sophisticated machine learning, screening payment data and monitoring transactions in real-time, prevented over £8 million worth of fraud in Q1 2025 alone. This robust, multi-layered scrutiny contributes to an exceptionally low chargeback rate of just 0.03% and a true fraud chargeback rate of 0.01% – significantly below the industry benchmark of 0.5%. For Flywire, Muller asserted, “fighting financial crime is not just a legal duty, it’s part of being a responsible business”.
Flywire's extensive client base provides a wealth of data points, enabling them to identify fraud and alert other clients to similar activity, providing a critical edge. This demonstrates how data-driven intelligence and AI can create powerful, collective defences that are difficult for fraudsters to penetrate. The message was clear: while AI assists criminals in creating more sophisticated attacks, it also provides the tools for institutions to build stronger, more adaptive defences, moving from a 'tick-box' compliance culture to one of continuous conversation and proactive risk management.
3. Empower your people with continuous training and education
Using just open source tools, former British Army Intelligence Officer and Boss on Channel 4’s Hunted, Ben Owen demonstrated hacker reconnaissance practices and shocked audience members by showing just how easily anyone’s digital footprint could be found. Once found, this information can be used, strategically, to commit crime.
But, despite technological advancements, humans remain the first, and most critical element in any defence against evolving threats. Investing in robust and continuous training to increase awareness for staff will be vital, as will engaging with vulnerable groups, like students, about the risks they are exposed to. Lowrie introduced the concept of cognitive resilience: the ability to pause and consider whether what you’re experiencing is real or not. This involves questioning sources and verifying information using independent verification and trust indicators. She highlighted how training staff in cognitive resilience should be the first line of defence against AI-driven manipulation as part of fraud or cyber attack prevention.
Flywire is committed to supporting the sector in the fight against financial crime, and already offers free sector specific payment security and AML & Fraud focused training to clients, but two new resources were highlighted at the conference:
AML and Fraud Toolkit: This collection of resources and tools has been compiled to help institutions become more efficient with risk mitigation, strengthen links with agents and other third parties, and support education across the education ecosystem.
We Fight Fraud video series: Filmed in conjunction with Flywire, We Fight Fraud’s latest series of videos dramatises the experiences of real life victims and highlights the very real risks international students are exposed to. The videos and associated resources to help educate students, staff and agents will be available to UK universities.
4. Above all, do not put your head in the sand, new legislation has amplified accountability
A lack of senior management buy-in is one of the most common problems institutions face when it comes to complying with PCI DSS, contributing to the fact that only 40% of HEIs are currently PCI compliant. However, the Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023), and in particular the Failure to Prevent Fraud offence which comes into force in September 2025, puts a new onus on top level management to ensure policies and procedures are in place to protect against fraud. This might be just the thing to get payment security on the agenda with senior management. As Leeds’ Favager put it, “informing management about their responsibilities in the eyes of the law may get you further than a university policy.”
However, ECCTA 2023 also means a university will be held liable if fraud is committed by an “associated person”, for example an agent, contractor, or subsidiary. University franchise providers are specifically called out in the legislation, stemming from recent press about fraud among some providers.
Already, under the PCI DSS merchants are required to ensure the third parties they are working with are compliant with the standard. Dave Neild, Head of Consultancy, Flywire, explained that third party due diligence should be part of established procurement and information security assessment processes. When engaging with a third party it is essential they are transparent in their operations, fully accept their responsibilities and demonstrate them to the customer, build trust. But under ECCTA 2023 there will be an increased need to interrogate the policies and procedures of third party providers and agents to make sure they comply with the law. It will also make agent management and training even more critical as their actions could leave the university open to prosecution.
This year's Payment Security & Compliance Conference highlighted a clear and urgent message: in an ever-evolving threat landscape, UK higher education institutions must unite to fortify their defences. By embracing simplification, leveraging advanced technologies like AI, investing in continuous staff training and student awareness, and critically, ensuring top-level commitment to compliance, universities can create a truly secure environment. It's a collective effort to outmanoeuvre fraudsters, safeguard vital funds, and ultimately, ensure a safe passage for every student entering higher education.
For more information
- Watch and listen to session replays from Payment Security and Compliance Conference 2025 for more tips and insights.
- Sign up for our payment security or AML & Fraud training, free to the UK higher education sector