Staff Training Helps Schools Stay Safe from Phishing Attacks

Cybercriminals attempt phishing attacks to gain access to the valuable information that schools and districts store.

Phishing is a type of cyberattack that uses email, text messages, or phone calls to trick recipients into unknowingly sharing sensitive information like login credentials or financial details with cybercriminals. The messages are designed to appear legitimate and from a trusted source so that recipients will either share the sensitive information directly via email, download malware or click on a malicious link that ultimately provides the attacker with this information.

Schools are responsible for storing an immense amount of sensitive data, so it’s no surprise that cybercriminals are interested in gaining access to these internal networks with valuable information. First, there are the email addresses — parents, teachers, vendors, and students. Then there are also social security numbers and birth dates for students, parents, and staff that schools collect as part of student enrollment and staff onboarding. Schools will also collect and store health information like student immunization records and 504 plans. Human Resource teams collect and store sensitive personnel information like salaries, bank routing and account numbers, and emergency contact information. These are just some of the many types of sensitive data that schools need to collect to be able to operate successfully.

Being able to communicate with families, having quick access to a student’s current health information, and paying teachers and staff via direct deposit — these actions are all critical aspects of the day-to-day work of running schools. These are also exactly the types of information that cybercriminals would love to get their hands on. It’s not as though schools have the option to not collect this data – it’s all essential. So, the responsibility of safeguarding this valuable information is added to the already long list of school leader priorities.

And this information really is valuable. This type of information goes for high rates on the dark web, making schools a prime target for these scams. Student records can be sold for up to $300 on the black market. The average school in New York state has about 500 students so one successful phishing scam, on an individual school, could easily put $150,000 in a cybercriminal’s pocket. A successful scam at the district level propels this figure up into the millions.

Schools are among the list of sectors most vulnerable to cybercrime.

Over time, larger organizations like corporations and banks, which were primary targets for cybercrime, have strengthened their security posture. They have devoted more financial resources to encryption, logging and monitoring, infrastructure upgrades, etc. They have also increased their dedicated IT staff headcount and some are even using AI and Machine Learning to detect and prevent cyberattacks. These enhancements and improvements in their defenses have made it harder for cybercriminals to hack their systems. These criminals are now turning to more vulnerable sectors like schools and nonprofits because these sectors, with limited budgets and limited staffing, are unable to mount a similar level of defense as these bigger, more resourced organizations.

Cybercriminals are becoming more sophisticated in their approaches to phishing.

The Consortium for School Networking reports that more than 90 percent of cyberattacks in schools begin with phishing campaigns.

The most well-known and easy-to-recognize phishing format is the email from a cybercriminal posing as a wealthy person who needs the recipient’s assistance in accessing their money. The request is usually written in an extremely urgent tone and the email promises a share of the wealth if only the recipient could share their banking information for the money transfer or for safekeeping. Or if only the recipient could share some money upfront to help cover the taxes or fees. Once the email recipient sends over their financial information, they’ll find that their accounts are drained of all their money. Or if they share some upfront money, the sender is never heard from again. Although this phishing scam format still works, it is commonly recognized and very easy to avoid.

There are other forms of phishing that are harder to recognize as scams.

For example, there’s spear phishing. This type of email phishing attack targets specific people or groups within a school or organization using a personalized message that appears legitimate. The attacker will find personal information from the internet – a school’s website or social media – and use it to craft a message that seems authentic because of the accurate information included. Publicly available information like the recipient’s real name, phone number, or title, when included in an email can cause a staff member to lower their defenses or skepticism and then reply with sensitive information, click on a malicious link, or install malware. In the case of spear phishing, attackers use familiarity as a strategy.

Whaling is another form of phishing where the attacker uses methods to pretend to be a senior-level staff member – maybe a principal or a superintendent –  and sends a request intended to trick the target into sharing sensitive information. Whaling will often rely on emotional manipulation to cause the target to lower their defenses and act quickly.

A school district in Florida lost a $300,000 class-action lawsuit and was required to purchase an $80,000 identity-theft monitoring policy for years for impacted staff because of a successful whaling attack. A cybercriminal sent an urgent email to HR staff pretending to be the superintendent. This email requested the W2s for all district staff. One of these staff members responded and inadvertently gave cybercriminals access to tax information for 7,500 employees.

Building your staff’s cybersecurity awareness helps schools stay safe from phishing scams.

In addition to using anti-spam and anti-malware products, staff training on how to spot phishing scams is a critical aspect of enhancing a school’s cybersecurity. Particularly as cybercriminals grow in the sophistication and customization of their attacks, emails will bypass spam filters and it will be up to school staff to distinguish between authentic communications and fraudulent ones.

Security awareness training, with a special emphasis on phishing, can help staff understand what’s at stake and how to avoid these scams. Training staff on new cybersecurity developments to keep them up to date is important. Also, reminders and refreshers on best practices for spotting phishing emails are helpful as well. Best practices like:

• Being cautious of emails with high levels of urgency asking for you to download an attachment or click on a link. Cybercriminals will often use calls to action or threats to create a false sense of urgency. They’re hoping that the emotional manipulation will cause the email recipient to act hastily.
• Paying attention to emails with incorrect spelling, bad grammar, or odd punctuation. Emails with many grammatical errors or lots of incorrect spelling may be written specifically in a way to bypass spam filters and could be a scam.
• Checking in with a sender, if an email – from what you think is a trusted source – looks suspicious. If you receive an email with suspicious links or attachments from someone you know, check in with that person either by phone call, text, or in-person to verify that they actually sent the message.
• Checking the email domain. For emails claiming to be from trusted sources, check the domain name to verify. Attackers will often use fake domain names that are similar to real ones. Subtle or obvious misspellings in the domain name can be a clue that the email is a scam.

At CTS, we help clients enhance their cybersecurity efforts.