An advanced form of phishing attack is spreading throughout K–12 schools and small colleges, leaving users vulnerable to ransomware attacks and cryptomining. According to cybersecurity company KnowBe4, hackers have begun to impersonate senior education officials as a new phishing tactic against teachers and staff to gain access to sensitive data.
Through extensive research, bad actors have been able to fool teachers into opening the door to their schools’ servers. EdTech spoke with KnowBe4 security awareness advocate Erich Kron to find out more about how smaller institutions and K–12 schools can keep these attackers at bay and limit their own vulnerability.
EDTECH: What is new about this type of phishing scam and why is it so effective?
What we're seeing, which is actually very impressive, is the level of sophistication in these attacks. A lot of people think of these phishing attacks as being something like the “Nigerian prince” scam, meaning they should be pretty easy to see through.
Photo: Courtesy of KnowBe4
However, these attackers have actually used what appears to be a genuine email address from these schools and have built out this very complex email. Essentially, they start out along the lines of “Dear colleagues,” and it goes into a long explanation and talks about integrity and all of those things and ends with a call to action.
Usually it's going to be related to a school policy, which the recipient would not expect to see in a phishing scam. It's a different way to approach this. It looks like it comes from someone in leadership and it usually makes much more sense to the people who are receiving it.
So instead of getting something saying “We need you to verify your Wells Fargo account” when you don't even have a Wells Fargo account, it uses something very topical, which unfortunately gets people to let their guard down and they end up clicking on these emails.
EDTECH: If the email speaks about school policy and is not an immediate call to action, how do bad actors get email recipients to give up their information?
The goal here is generally to get people to sign in to their email accounts, or they think they're signing into their email accounts. This is called credentialing.
They steal the credentials from these individuals by giving them a fake login page. Then, once they have collected those credentials, they're actually sending them to the real page that has those policies.
This is particularly interesting and something I haven't seen done to this level in a phishing attack. By redirecting to the real site, victims do not realize that they have actually fallen for an attack.
EDTECH: Why use this kind of sophisticated attack on a school server as opposed to an institution in another industry? Why are K–12 schools and small colleges more vulnerable?
There's a lot of interesting information in education institutions, like Social Security numbers or student loan information. Schools hold a lot of valuable information, which allows attackers to build a pretty substantial profile of people at a younger age. For example, we've certainly seen instances where children have had credit scores ruined because somebody has stolen their identity. This is not unusual.
For smaller institutions and schools, I think what happens is they do not necessarily have the budget to invest in very sophisticated sorts of security programs.
Any time you are in a public school or college, there is not always a large budget to try to counter these attacks. Unfortunately, faculty at smaller institutions do not seem to get as much of the training on this sort of thing as someone might in the corporate world.
So, I think the attackers have found that they are able to get into these networks, and as long as they continue to be successful they will continue to target these institutions.
EDTECH: What can institutions do to defend themselves against such sophisticated attacks?
I think one of the key things IT teams have to do is understand that there is a lot of value to training users on how to identify these sorts of attacks. I think, unfortunately, schools focus solely, or disproportionately, on the technology and hope that is going to do it. But that is just not cutting it these days.
We also need to make sure that they understand that the same sorts of attacks that are hitting schools can also hit them at home.
Another key thing I explain to clients when it comes to phishing attacks is most attacks are going to try to elicit some sort of an emotional response. So, if you get an email that you have an emotional response to, you want to step back a little bit and analyze that.
Attackers are very good at using emotions to get people to bypass the critical thinking part, which is where they become very successful.
There are also some ways to immediately tell if the email is a scam. One of the most telling things you can look for is the reply address. Usually, there's a drop-down you can do there where it will spell out who you are sending your reply to. If the rest of the reply address is not the individual that it says it is, that should be a big red flag right there.
Finally, training cannot just be a one-off event. Retraining is essential, especially since phishing attacks can correspond to different events throughout the year. For example, near the holidays, there may be scams specifically related to Christmas.
EDTECH: While institutions may not want to solely rely on tech, it is certainly helpful. What tools are available that would be a smart investment for institutions?
I think there are a couple of things institutions need to understand when it comes to accounts. First and foremost, how to deal with your passwords, and second, what we call password hygiene.
It seems like every week there's a new breach, and this can be attributed to people reusing the same passwords on multiple accounts.
Let's say you are on an online forum and it gets hacked, and you use the same password there as you do on your email account. Well, attackers are going to try that password. So changing passwords regularly is a very important tactic to get across to users.
I am also a big fan of multifactor authentication. Whether it's text message verification or another type of authentication. Generally speaking, the average individual these days has still not moved to adopting that.
Password locks are, in my opinion, very valuable tools to invest in. What they do is allow you to randomly generate passwords and hold them all in one secure place, which means, hopefully, these passwords do not have to be used more than once. I can tell you personally speaking, I get probably two-thirds of my passwords from this tool.
EDTECH: What technology trends do you see coming up that will help smaller institutions defend themselves from these attacks?
I think as we leverage artificial intelligence more, some of the tools that already exist are going to get much more effective at what they're doing. With computing power increasing and with AI advancing, IT teams are going to be able to spot these attacks much faster than they have been historically.
And this advancement will help endpoint protection, email gateways, all of these vulnerable places where companies are working to deploy AI. It is really going to help make current protections more effective.