Jun 13 2022

5 Ways K–12 Schools Can Push Back Against the Consent Phishing Trend

Multifactor authentication alone won’t save school districts from unintentionally granting bad actors access to credentials. Here’s how to stop consent phishing attacks.

We all think we know about phishing emails and how dangerous they are, particularly to K–12 school systems. However, educators may not be familiar with the growing trend of “consent phishing.”

In consent phishing attacks, bad actors use malicious apps hosted on legitimate cloud platforms to gain “access to an organization’s cloud services and data,” according to Microsoft.

In this type of phishing attack, teachers or school administrators may accidentally grant these apps permanent permission or consent that can be used to exploit school systems. Below are five ways that schools can combat consent phishing.

Click the banner to explore more security tips and expert advice for your K–12 district.

1. MFA and Identity Management Block Consent Phishing Attempts

Schools should definitely set up MFA for network login, requiring users to provide IDs, passwords and a third identifier, such as a badge or a biometric marker, to access the network.

In the cloud (whether Google Cloud, Microsoft Azure or Amazon Web Services) where consent phishing occurs, schools should use an identity and access management solution. An IAM solution should notify IT staff whenever it detects unusual web, app or email activity and can block login attempts.

2. Take Control of Third-Party App Permissions and Approvals

Unfortunately, even when MFA and identity management tools are in place, some users can still accidentally grant malicious cloud apps access to convincing cyber phishers.

According to Push Security, “the only way to completely shut down consent phishing attacks is to prevent users from granting access to third-party apps altogether.”

However, because this would reduce productivity, K–12 schools should let IT admins approve all new app requests from end users and preapprove widely used apps from trusted publishers.

DISCOVER: Here are 5 tips for protecting cloud applications and K–12 networks.

3. Security Training Can Help Schools Reduce Consent Phishing Attacks

Researchers who conducted the October 2020 IBM Education Ransomware Study of 1,000 educators and 200 administrators concluded that educators were “still unaware of critical information relevant to protecting their schools.”

At a minimum, K–12 IT experts should conduct annual training for teachers, students and administrators on consent phishing and other cyberthreats.

4. Schools Can Shore Up Cybersecurity with Annual External Audits

School IT leaders should hire outside cyber experts to perform annual audits. The auditors will test for security policies, best practices, documentation and compliance in central and remote IT systems and devices. They will assess the security of software, firewalls, third-party vendors, apps and the IT app approval process.

LEARN MORE: School districts turn to outside experts to beef up their security posture.

5. Schools Should Notify Legitimate Parties of Phishing Attempts

Finally, whenever a user reports a suspicious email that looks like it is coming from a legitimate party, IT teams should notify that party. IT can also consider hardening security around school email systems with software that checks for spam and blocks access to known malicious websites and apps.

Martin Barraud/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.