Recently, with many schools operating remotely, administrators have been bombarded with highly targeted, extremely effective email phishing attacks. Recent attacks have indicated scammers are adapting their methodology to take advantage of vulnerabilities specific to the education sector.
Strained by changing circumstances, schools are especially at risk of falling victim to these sophisticated scams. Despite the high risk they face, schools are not without options for mitigating their risk.
What do these attacks look like?
One particularly costly scam occurred in early 2020, when the Manor Independent School District in Texas fell victim to a scam in which hackers reportedly stole district information to conduct multiple fraudulent transactions. This attack cost the district a staggering $2.3 million.
While details are sparse about this specific attack, the general pattern on display may be an appropriate model as to how these attacks take place. Since staffing and organizational information about public education institutions is required to be available to the public, scammers can easily find the names of school employees and their roles. Employees able to transfer money are often targeted with two main methods: emails impersonating an authority figure requesting information or fake mailing list emails containing fraudulent links that compromise the receiver’s account.
In the case at Manor ISD, the stolen data was supposedly used to make seemingly-normal transactions with what appeared to be one of the school’s existing vendors. It was weeks later, when the real vendor alerted the school to a missed payment, that the district uncovered the scam.
Protecting Against Phishing
Barracuda, a cybersecurity firm, recorded 3.5 million of these targeted phishing scams between June 2020 and September 2020. While the schemes vary in sophistication and intensity, these attacks mark a profound threat for which the education sector may not be adequately prepared. Educational institutions can work to prevent losses due to phishing by:
- Training employees of all levels to recognize and report phishing emails
- Implementing reporting options for suspicious emails
- Performing cybersecurity tests for employees
- Establishing clear protocols for sharing information
- Gaining a professional assessment of existing cybersecurity measures
These trends of sophisticated, targeted email phishing may be troubling, but awareness and vigilance are the best tools for keeping scams at bay.