Q&A: The National Cybersecurity Alliance’s Executive Director Tackles Phishing

Phishing has become a lot more sophisticated since the early days of email scams. These attacks, which prey on end users’ emotions, have become increasingly difficult to spot. Threat actors are working more intelligently, and they strategically choose busy times of year to target school districts.

In fact, phishing is such a significant problem in K–12 institutions and beyond that preventing these attacks is one of the National Cybersecurity Alliance’s four focus areas for Cybersecurity Awareness Month 2023.

Lisa Plaggemier, executive director of the NCA, sat down with EdTech: Focus on K–12 to talk about this threat. Citing NCA reports and other resources, Plaggemier shared what schools should look for and how they can fight phishing within their organizations.

Click the banner to start teaching your K–12 team to flag phishing attacks.

EDTECH: Why are phishing emails such a dangerous threat for K–12 schools?

PLAGGEMIER: No matter how good the security email gateway filters are, there’s always a chance that a phishing email is going to get through to your inbox. Large organizations have millions of phishing emails hitting their servers every day. If the bad guys can get 1 percent of 1 percent through, which is possible, then the odds are that somebody, somewhere is going to click on something.

Phishing is a lot more scalable than making calls, so it’s easier and cheaper for the bad guys to do. They wouldn’t do it if it didn’t work. It’s fruitful for them.

EDTECH: Why do phishing emails work so well for cybercriminals?

PLAGGEMIER: It’s a form of social engineering, which is a fancy way of saying people can trick us.

Really, it’s about that intersection of humans and technology. So many security incidents start with a human error, and the reality is that human error is something you have to plan for. How do you make technology a little more error-proof? How do you train in the meantime to make humans aware of all of the potential pitfalls?

EDTECH: Which demographics are the most vulnerable to cyberthreats such as phishing?

PLAGGEMIER: We have data from a report we do called “Oh, Behave!” that shows that older folks are slower to click on things and more distrustful of technology. Younger folks are faster to click and are more likely to click on something they shouldn’t.

Digital natives have a comfort level and trust with technology, so while we think of our kids being tech savvy, they’re not security savvy.

EDTECH: What new phishing threats should K–12 users be aware of? How are cybercriminals stepping up their game?

PLAGGEMIER: The most difficult attacks for an end user to recognize are when a trusted partner has had their network compromised and somebody has control of their email, so you’re getting a phishing email from an address that’s not spoofed.

When the bad guys get control of an email account, they work really quickly because they don’t know how long they’re going to have that control. They set up auto-forwarding rules and they find threads they can jump in on, and those can be really hard to detect.

LEARN MORE: Avoid becoming bait for a phishing email.

There’s also spear phishing, which is when phishing is tailored to someone’s role, and whaling.

Whaling is a type of phishing where they’re targeting a highly sought-after individual: That could be somebody with administrative access or it could be somebody very senior in the organization. It could be anybody in finance who has access to money and access to data.

There are clear things that people should look for, like spoofed email addresses and links that look a little unusual, misspellings and bad graphics, but the bad guys have gotten a lot more sophisticated. They have graphic artists. They have native English speakers. There are all kinds of artificial intelligence to help them now.

EDTECH: Besides email filters, which you mentioned, what tech can help K–12 IT teams fight back against phishing threats?

PLAGGEMIER: The best-case scenario is that somebody clicks on a phishing email and your proxy blocks them from going to the website. You always have to think in terms of a layered defense. In a perfect world, there is other technology in place that blocks somebody from getting to the malicious website and blocks malware from being downloaded. You have to look at it in its entirety and have a layer of defense.

DIVE DEEPER: Try these security controls to fight phishing attacks.

Simulated phishing programs have been around for a long time. I think everybody should be running one. There are automated ones now, so you set it and forget it. You can hire managed services to run it, too. It doesn’t have to be a big drag on the IT team to run the program.

EDTECH: What should K–12 IT admins keep in mind when administering phishing spoofs and other trainings?

PLAGGEMIER: I really believe in rewards and incentivizing people to do the right thing as opposed to punishing them.

Before you send a phishing email, you need to contact the HR team or the internal communications team to make sure you’re not doing anything tone deaf for the organization. If you want your security team to have a good, healthy relationship with the rest of the organization, and you want to be embedded with the business, it’s not wise to do anything that’s going to be too controversial.

The argument on the other side is the bad guys will do it, so we should do it too. But the bad guys don’t care about having a relationship with your organization.

I can’t stress enough that the school should be prepared for this. With the number of ransomware attacks on schools across the country over the past couple of years, if you’re not doing anything, then you frankly have your head in the sand right now.