Ding! You get a message on WhatsApp from a “Nigerian Prince” offering to send you $10,000 if you share your bank details. Most people would laugh if they got a text like this, but back in the 1980s, this iconic phishing scam defrauded millions of victims worldwide.
Now, imagine you’re an eager student in 2023 receiving an email that looks something like this:
Hi Sarah,
How are you? I have just finished reviewing your assignment, and I think it’d be beneficial to discuss your work before the exam next month. Can you drop a 30-minute meeting in my calendar at a time that suits you?
https://calender.google.com/calendar/
Speak to you soon.
Dr. Clark
In the heat of the moment, it’s unlikely that Sarah will spot the small spelling mistake in the URL link (highlighted)—a classic sign of an oh-so-realistic phishing attack. The last thing she’ll do is ignore the email; after all, her grades and school reputation are on the line.
As well as straightforward scams like this one (to the tune of 3.4 billion malicious emails daily), phishing can be the springboard for DoS (denial of service) and malware attacks, in which the victim’s computer is inaccessible and under the hacker’s control.
Phishing sheds light on the naivety and lack of awareness surrounding cybersecurity measures and on the institutions without a finger on the pulse. This article will review how and why these attacks impact schools and students, and provide critical phishing prevention strategies you need to know.
Phishing: The World’s Most Multifaceted Cyberattack
Phishing disguises malicious text messages, emails, and other communications as real content from brands, people, and organizations. The goal is to trick victims into believing the requests are legitimate, manipulating them into revealing their personal information and data.
Ultimately, these attacks have one clear commonality: they must be realistic. And thanks to sophisticated AI and evolutive social engineering strategies, they are. Modern attacks like cloning and email phishing use tactics such as URL cloaking to send the victim a fake link masquerading as a real one.
Similarly, a tab cloaking attack might ask an unsuspecting student to log into their university admissions portal to complete their registration—unbeknownst to them, it’s a malicious website harvesting their personal information, social security number, and even credit card details.
Generative AI makes it easier than ever for hackers to copy legitimate communications. For example, attackers can feed an AI model like ChatGPT with emails from teachers or fellow students and create a perfect replica of their discourse style.
Deep fake attacks take realism one step further, producing a like-for-like replica of a victim’s voice or image that exploits students’ and employees’ naivety, curiosity, and conscience. After all, most young people wouldn’t think twice about clicking on a bogus job offer, an exam results email, or even a ‘we tried to deliver your parcel…’ text.
Why schools? Why students? And why now?
Modern schools and their students are constantly connected to the internet. A free and fraudulent WiFi access point would go unnoticed by institutions with a need for good connectivity, and the rise of cloud computing in education has added the complexity of remote access control into the mix. Students and employees will likely have a combination of school- and privately-owned devices, making it difficult for IT teams to keep tabs on cybersecurity.
Pre-university students are a totally blank slate because they have no credit history or dependencies, meaning identity theft can go under the radar for years. Information like students’ names and teachers’ email addresses is sometimes published online, which makes the hackers’ job ridiculously easy.
Often, the students are not the primary target. Spear phishing attacks (that prey on individual victims) might zoom in on wealthy and high-profile parents, or aim to steal login credentials to access intellectual property and financial information stored in school systems and applications.
Researchers at Penn State University found that phishing scams aimed at college students increased significantly between 2014 and 2022 for this reason. Exam papers, confidential research, and the headmistress’ email account are attractive targets, too.
How Schools Can Protect Students and Themselves from Phishing
The scope and size of the school system are its appeal; 50 million compromised records can cost an institution as much as $392 million in reparations. Not to mention the money hackers would make, too. Your phishing protection plan needs to match this breadth and depth, and it might include the following elements:
School-wide Awareness Training
Let’s face it, students and younger employees probably think they know everything about the digital ecosystem, and that includes cybersecurity. How can an ‘old’ professor with a battered laptop possibly educate them on the dangers of online activity when they’ve spent their whole lives immersed in it? Choosing the proper training and delivery type is essential for engaging all parties, gaining their full attention, and getting results.
Short and recurring training like quizzes and interactive simulations might be more effective than long lectures because it provides a personalized experience to staff and students. Notably, your staff will have differences in technical maturity, knowledge, and understanding—plus, they might not even speak the same language!
At a minimum, training should teach everyone about the different types of phishing, how they work, what to look for, and how to react if they suspect an attack.
Phishing Simulations
Only 35% of organizations conduct phishing simulations, despite 44% of people admitting they think an email is ‘safe’ if it contains familiar branding. Simulations are an interactive, engaging, and effective method for students and staff to recognize nuances and discrepancies in fake hyperlinks, subject lines, names, branding, and more.
Choose a platform that offers measurable success and automation features to alleviate the burden on your school’s IT teams. Out-of-the-box solutions can be easy to deploy, allowing you to distribute and personalize training and simulations automatically.
Anti-Phishing Software
Anti-phishing software prevents phishing attacks from reaching email inboxes and inspects all digital communications before they reach the target account. Machine learning-based solutions and an anti-phishing toolbar are hugely beneficial. Still, they’re not a silver bullet and should be used alongside proper training, authentication strategies, VPNs, and firewalls.
Authentication Strategies
Multi-factor authentication (MFA) is a standard identity and access management (IAM) policy that requires everyone to provide at least two verification factors before accessing systems and applications. For example, adding an authentication layer to the school’s WiFi would help people recognize the correct access point.
You can implement MFA alongside other IAM policies like frequent password changes and a zero trust approach, which means the institution only grants the minimum access possible to resources.
Measure Success to Improve Training and Security
You can choose a phishing training and simulation provider that offers performance monitoring and reporting features to see how trends change over time and improve security awareness amongst students and staff. Automated, data-driven training campaigns are essential for delivering personalized and pre-emptive learning experiences, helping institutions foresee threats and knowledge gaps.
The Importance of Continuous Learning in Cybersecurity
Cybersecurity training in schools is not a tick-box exercise. It is a long-term project that requires continuous learning and effort from all parties. As education institutions further invest in edtech, cloud computing, and digital learning resources, your phishing policy will adapt and change to keep up with the pace of innovation.
Schools can reinforce the importance of cybersecurity through engaging and empowering training that positively impacts their academic life. CybeReady cybersecurity awareness training and phishing simulations are a comprehensive and proven solution to help staff keep schools and students safe.
Contact us for more information on how to stay phish-free this school year.