Last month, Nantucket Public Schools was hit with a ransomware attack that forced the early dismissal of students and the cancellation of school the following day—and the district’s superintendent said recovery efforts are “far from over.” In November 2020, Baltimore County Public Schools was hacked using a phishing email that disrupted the school system’s website and remote learning for a number of days, ultimately costing the district nearly $10 million in network upgrades and damages, according to a recent report. The threat is real, and it can happen to your students.
In a previous interview with District Administration, James Turgal, vice president of Optiv’s Cyber Risk, Strategy and Board Relations and former chief information officer for the FBI, said it’s imperative that schools prioritize the confidentiality of their students’ personal information, such as their medical information and grades.
“There’s a ton of organizations out there, like threat organizations, that love going after PII [personal identity information] from schools because they can sell that to organized crime groups that are then starting to build profiles based on all that PII and create massive amounts of fraud,” he said.
And so is the case according to a new report from Identity Automation, a digital identity platform for education, and PIXM, a computer vision cybersecurity startup, which illustrates that the rise in digitized learning in public schools has unintentionally created new avenues for cybercriminals to maliciously target students. Unlike your school staff, children are a “blank slate” for thieves, the report reads. Their lack of credit and supervision can lead to years of undetected fraud.
One of the primary disparities within school security systems that leave students vulnerable is the lack of multifactor authentication (MFA), according to the research.
“Most K12 districts are feverishly working to deploy multifactor authentication to their privileged users and employee users, but they struggle to effectively deploy MFA for non-employee users, such as students and parents in a unified authentication approach,” it reads.
The report also highlights the incidents that took place at one U.S. school district using Identity Automation’s PhishID product to measure just how frequently students were being targeted by phishing attacks. Within one month of deployment, students and staff unknowingly clicked on 73 malicious sites, including new phishing attempts.
In addition, they uncover four key findings as they monitored cyber threats targeting this district:
- Students are the primary target: Criminals want access to students’ PII for their nonexistent credit history and financial gain.
- Phishing attacks against students are increasingly sophisticated: Most of the time students unknowingly click on malicious links because they appear to contain school-related content or present themselves as video games or other legitimate sources they are familiar with. Inevitably, they’re taken to login pages where their credentials and personal information can be intercepted and stolen.
- Phishing attacks are becoming harder to detect: Criminals are using stealthy tactics like quick deploy web applications and proxy-aware connections, making it extremely difficult for IT teams to detect and interrupt.
- Phishing links are circumventing filters: Even as schools are implementing blacklists and content filters to reduce the risk, these new and improved phishing tactics, like URL cloaking and tab cloaking, make it difficult for districts to maintain control.
As student-targeted phishing becomes even more common, school districts and IT teams must remain one step ahead of the enemy. Here are three recommendations provided in the report for district and IT leaders:
- Don’t rely simply on safeguarding inboxes, user training and content filters.
- Begin using anti-phishing protection that utilizes AI computer vision to better detect malicious phishing attempts.
- Require everyone to use multifactor authentication, including students.
More from DA: Why preparing students for a career in cybersecurity is a wise choice