Nov 21 2022

What Do Schools Need to Know to Recognize a Social Engineering Attack?

Social engineering targets users, with the goal of manipulating their emotions to inspire action. Training staff to recognize these threats is imperative to cybersecurity.

Cybersecurity is a high priority for K–12 administrators and IT leaders. It was the No. 1 technology pain point for survey respondents in the Consortium for School Networking’s “EdTech Trends and Funding: A CoSN Member Survey 2022.” The survey also found 83 percent of districts planned to expand cybersecurity initiatives.

An increased need for cybersecurity has led to a call for additional funding for this educational priority. While schools are investing in technologies to keep their infrastructure and information safe, some experts recommend an additional route to better protection.

“Despite good cybersecurity practices, people are still the weakest link,” says researcher Martina Dove, author of The Psychology of Fraud, Persuasion and Scam Techniques. “That’s the biggest problem, and that’s something you can’t protect with conventional cybersecurity measures.”

Consequently, schools should train their staff and students on how to recognize social engineering, a type of cyberattack ranked as the top cybersecurity threat by 75 percent of respondents to a recent Cyber Security Hub survey.

What Is Social Engineering, and How Does It Work?

“Social engineering is when cybercriminals look to psychologically manipulate victims using emotions like urgency, fear and the natural human instinct to want to help and solve problems,” says Karen Sorady, vice president for member engagement at the Multi-State Information Sharing and Analysis Center (MS-ISAC). “They’re hacking the humans as opposed to hacking a computer system.”


The percentage of organizations that ranked social engineering as their top cybersecurity threat

Source:, “CS Hub Mid-Year Market Report 2022,” July 29, 2022

The goal of these attacks is to trick the target into performing an action — clicking on a link, sharing credentials or even providing payment in some form — that will allow the hacker to infiltrate the network or profit in some way.

Phishing is a common form of social engineering that has become quite sophisticated.

“Phishing emails used to be filled with a lot of misspellings and poor grammar. Today, phishing can appear to be very real, and in some cases, cybercriminals will actually study the victim so that they can establish a believable pretext,” Sorady says.

LEARN MORE: How can schools push back against the consent phishing trend?

How Are Cybercriminals Targeting Victims of Social Engineering?

Because of the additional research cybercriminals conduct on their victims, phishing emails may look much more believable than recipients expect. Scammers may include school-specific information or bait staff with emails that appear to come from principals, superintendents or other K–12 leaders.

And emails aren’t the only form of communication used in social engineering attacks. Phishing via text messages or phone calls — known as smishing or vishing, respectively — are also a threat to school security.

Well-researched social engineering attacks also target victims during particularly busy times of the year.

“With K–12, the beginning of the school year or the end of the semester can be chaotic,” Sorady says. This may be when hackers attempt to social engineer someone in a school district, because “people might not be paying as close attention.”

How Can Schools Prevent Social Engineering Attacks?

The best way to protect against social engineering attacks is to train staff to recognize and subvert the threats.

“When you get an email that says your account has been compromised, you’re panicked, and you have this rush of adrenaline and fear. You have a physical reaction to what you just read,” says Dove. “Scammers want you to act in that window in which you’re still under this visceral influence.”

It’s important to train staff and educators not to act impulsively, even when in a heightened emotional state. Train them on the signs of social engineering and what they should do if they believe they’ve received a fraudulent communication, such as alerting the IT department.

Additionally, all staff should be reminded not to put personal information online. This info helps threat actors conduct research on potential victims and craft more believable attacks. School personnel should also use different passwords for each of their online accounts, which will prevent credential stuffing if scammers acquire one of their passwords.

Despite the human element, there are some technologies that can help protect a school from social engineering attacks.

Endpoint protection and spam filters can keep phishing emails from reaching targets, and they can protect a district’s network in the event a user inadvertently clicks a malicious link.

Multifactor authentication is another solution that can protect staff from social engineering.

“If somebody is tricked into giving away their user ID and password, the attacker wouldn’t likely have the multifactor code or the user’s phone to retrieve the password,” Sorady says. “Unfortunately, no technology is perfect, and attackers are finding ways around solutions almost as fast as we can put them in. So, again, users are going to be your last line of defense.”

KEEP READING: Okta grants access to necessary apps for authorized users. 

damircudic/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.