Spotting Phishing Scams: A Quick Guide for schools

Phishing scams have become one of the most common methods cybercriminals use to steal sensitive information. According to the UK government cyber breaches survey 2024, 92% of primary schools and 89% of secondary schools reported a phishing attack.

 Educational institutions, particularly schools, are prime targets for cybercriminals due to the valuable personal data they hold on students, staff, and parents. They often face a broader range of threats such as impersonation, viruses, malware and authourised access. 

With school staff increasingly using online platforms for communication and management, it is essential to be vigilant and know how to spot phishing attempts. This blog is designed to help school staff recognise and avoid phishing scams, ensuring the safety of school networks and personal information.

What is Phishing?

Phishing is a type of cyberattack where criminals impersonate legitimate organisations or individuals in an attempt to trick you into revealing sensitive information such as usernames, passwords, or financial details. These scams typically come in the form of emails, text messages, or fraudulent websites, appearing to be from a trusted source.

Why Are Schools Targeted?

• Valuable Data: Schools house a wealth of personal information, including student records, staff credentials, and parent contact details.
• Budget Constraints: Many educational institutions have limited budgets for cybersecurity measures, making them more vulnerable to attacks.
• Human Error: With the fast-paced environment in schools, staff members might inadvertently fall for a scam, especially when under pressure.

Common Phishing Scams Targeting Schools

1. Fake IT Support: Phishing attacks may come in the form of impersonating your school’s IT department, requesting login credentials or asking you to click on a link to “update your account.”
2. Fake Invoices or Payments: You may receive an email that looks like a legitimate request from your school's administration for payment or the processing of an invoice.
3. Student or Parent Data Requests: Scammers may pose as parents or even other staff members, requesting access to student records under the guise of an emergency.
4. COVID-19 or Safety Alerts: Scams may disguise themselves as important health updates or safety protocols, especially during times of crisis like the pandemic.

How to Spot a Phishing Email

 Here are a few key signs that can help you quickly identify a phishing attempt:

• Suspicious Sender Email Address: Always double-check the sender’s email address. Phishing emails often come from addresses that are slightly off from the legitimate ones (e.g., [email protected] instead of [email protected]). Also Look out for generic email addresses from public domains like Gmail or Yahoo instead of official school or district domains.
• Generic Greetings:  Usually If you receive an email beginning with a generic salutation like "Dear Staff" or "Dear Teacher," instead of addressing you by your name, it should raise suspicion especially if it's asking for sensitive information in an urgent manner.
• Urgency or Threats: Phishing emails often create a sense of urgency, claiming that your account will be suspended unless you act immediately, or that you must "click here" to avoid penalties.
• Unusual Attachments or Links: Be wary of unsolicited attachments, especially those with file extensions like .exe, .zip, or .scr.Hover over links to check if the URL matches the expected destination. If it looks suspicious or unrelated to the content, do not click on it.
• Grammatical Errors: Legitimate organisations usually ensure their communications are professional. Phishing emails, on the other hand, often contain grammatical mistakes, odd phrasing, or awkward wording.
• Requests for Personal Information: Institutions will never ask for sensitive information, such as passwords or personal identification, via email.

Steps to Take if You Receive a Suspicious Email

1. Do Not Click on Links or Download Attachments: If you're unsure about an email, do not click on any links or download any attachments until you've verified its authenticity.
2. Verify the Sender: Reach out to the sender directly using contact information you already have, not the information in the suspicious email. If the email claims to be from the IT department, call your IT team directly.
3. Report the Phishing Attempt: Forward the email to your school’s IT department or cybersecurity team. Many organisations have specific protocols for handling phishing attempts.
4. Delete the Email: Once you’ve reported the email, delete it from your inbox to avoid accidentally clicking on it later.

Additional Best Practices

• Use Strong Unique Passwords: Ensure all staff members are using strong passwords for their accounts and encourage the use of multi-factor authentication (MFA) whenever possible.
• Stay Updated on Cybersecurity Policies: Regularly attend any training sessions or updates provided by your school's IT department. Cybersecurity practices evolve, and it's important to stay informed.
• Educate Students and Parents: As educators , it’s crucial to help students and parents understand phishing scams as well. Consider hosting short workshops or sending out educational materials on how to stay safe online.
• Regularly Back Up Data: Encourage the IT team to perform regular backups of critical information. In the event of a successful phishing attack, having backups can prevent data loss.

Conclusion

Phishing scams are an ever-present threat, but with the right knowledge and practices, school staff can protect themselves and their institutions from falling victim to these schemes. By staying vigilant, questioning suspicious communications, and educating those around you, you can play a crucial role in safeguarding your school’s digital environment.

Remember, when in doubt—stop, think, and verify!