Creative Strategies: School Districts Combatting Phishing Scams

The great thing about technology is that it makes everyday tasks so much easier. 

From communicating, to finding rides, to shopping—nearly everything can be done with a single click.

But the convenience of technology often has a downside. Take, for instance, the recent rash of hacking and ransomware attacks on K-12 school districts and colleges throughout the country. 

In May, Oklahoma City Public School employees were asked to not use their email accounts after the district fell victim to a ransomware attack. Just this month, Syracuse City School District faced a similar attack from a hacker who continued to increase ransom demands to unlock vital district systems. At the same time, Monroe College in New York City faced a similar attack, with hackers demanding 2 million dollars in ransom.

As phishing or trolling attacks like these become more sophisticated and creative, school districts need to rethink their approach to cybersecurity.

K-12 schools not immune

More than half of the K-12 chief technology officers surveyed in a recent joint report from Education Week and CoSN said that email phishing scams are a significant or very significant problem. And in 2016, 60 percent of K-12 schools that faced ransomware attacks ended up paying the hackers to restore their information, according to a Department of Education analysis reported by EdTech Focus on K-12.

Why are K-12 schools so appealing to hackers? Because the information schools hold is extremely valuable, cybersecurity advocate Erich Kron tells EdTech Focus on K12. 

“There’s a lot of interesting information in education institutions, like Social Security numbers or student loan information. Schools hold a lot of valuable information, which allows attackers to build a pretty substantial profile of people at a younger age. For example, we’ve certainly seen instances where children have had credit scores ruined because somebody has stolen their identity. This is not unusual.” 

Anatomy of a phishing attack

While we all hope we’re savvy enough to recognize suspicious emails, phishing scams are becoming more and more sophisticated every year.

“A lot of people think of these phishing attacks as being something like the “Nigerian prince” scam, meaning they should be pretty easy to see through,” Kron tells EdTech Focus on K-12. “However, these attackers have actually used what appears to be a genuine email address from these schools and have built out this very complex email. Essentially, they start out along the lines of ‘Dear colleagues,’ and it goes into a long explanation and talks about integrity and all of those things and ends with a call to action.”

When a teacher, administrator, or other district employee clicks on that call to action, they essentially invite ransomware or some other type of virus to attack the school or district’s information ecosystem which can result in the system being shut down and held for ransom or robbed of valuable personal data of students and employees.

Kron advises K-12 schools and other institutions to provide ongoing training for staff members on how to spot and report a phishing attack and to understand the security implications of such an attack. He also encourages school IT leaders to implement stronger password protection and multi-step authentication programs to help protect against potential breaches.

Cybersecurity expert Karen Scarfone advises school districts use advanced “endpoint protection tools” that help identify harmful software before it is installed on district systems. She also points to application whitelisting as a last resort when all other security fails. 

“If other security controls don’t stop the ransomware, the last layer of defense is application whitelisting,” writes Scarfone for EdTech Focus on K-12. “With this technique, an operating system allows an executable to run only if the school district has specifically approved its use…Even if a user is tricked into downloading and installing ransomware, whitelisting technology prevents the user from running it, regardless of his or her privilege.”

The end of email?

To face the growing threat of phishing attacks and the potential costly impact, many school district leaders we’ve talked to are going beyond standard cybersecurity measures and entirely rethinking the way their districts communicate.

One strategy is to stop listing email addresses altogether on their district and individual school websites. The idea is to make it harder for hackers to “scrape” and subsequently target district email addresses.

But eliminating email addresses doesn’t mean these districts are making it harder for community members to contact them. In fact, it’s quite the opposite.

Tools like K12 Insight’s customer experience solution, Let’s Talk!, offer school districts an alternative to email that actually makes it easier to track and respond to inquiries from students, parents, community members, and district staff.

For more on how Let’s Talk! works to improve community communication, check out the video below: