Why should we pay attention when local schools are attacked?

We all know that schools are a growing target for cybercriminals, and it's not uncommon for schools in the same region to be hit.

For example, multiple schools in the West Midlands and Lancashire were targeted within a few weeks of each other. In these incidents, attackers compromised staff email accounts.

In this blog, we explore why local schools are often attacked, what kinds of attacks these can be, and how schools can protect themselves.

What is email compromise?

This is when an attacker gains access to someone else’s email account. They are actually logged into the account and send emails as though they are that person. 

They can do this by using that person’s login details they’ve found elsewhere, obtained via social engineering such as a phishing email, guessed from information online, or broken into using automated password guessing techniques like password spraying and brute force guessing.

Who is particularly vulnerable to email compromise?

Targeted phishing attacks, known as spear phishing or whaling, happen when criminals identify staff with the highest levels of privilege in the school and target them with personalised messages. This could be the leadership team, business leaders and IT staff. Criminals know that these people have administrative access to systems and can be responsible for paying invoices and other bills.

What kinds of messages do the attackers send?

An attacker’s main aim is likely to be financial. They may send emails asking for money to be transferred into their bank account. They do this by faking invoices to trick people into thinking they are paying for school supplies, building work, or trips.

But why can local schools be hit?

• Shared domain names
  Regional attacks can happen when schools share the same last part of a domain name in their email addresses. This also means that school groups and multi-academy trusts can be targeted similarly, even when not in the same region.
• Accessing address books during email compromise
  When an attacker compromises a genuine email account, they then have access to that user’s address book, which is likely to be full of local school contacts. They will try to phish everyone in the address book or seek out specific email addresses. If the school business leader's email is compromised, the attacker could then look for other SBLs or SBL groups to target.
  
  These emails are more difficult for staff to spot as they appear to come from someone they trust. 
• Local or connected schools may have the same weaknesses
  Schools within a region or across a school group may operate with the same security weaknesses. Once they identify the weakness, intelligent hackers can use the same techniques to attack different schools.

How to protect your school

Sometimes, attackers use very simple methods to compromise accounts, and cybersecurity basics can help prevent this.

• Passwords

  
  The first step to protecting accounts is using unique and difficult-to-guess passwords, the NCSC recommends three random words and password managers.

• Privacy is key

  
  Staff should be wary about what they publicly share online, as this information can help hackers guess more simple passwords, see tip above.
  
  As a school, avoid publishing individual email addresses on the school website. This is the first step an attacker needs to log into that account.

• Phishing training

  
  Train all staff on how to spot phishing emails to reduce this as a way of tricking colleagues into giving away thier credentials.

What if you receive what looks like a compromised email?

Remember phishing training

Identifying a phishing email that looks like it’s from someone you know is more tricky, as their email address will be correct. However, the content of the email is likely to be off and probably won’t sound like the person it looks to be from. Remind colleagues to consider whether they are expecting the email if the content is unusual or if it’s been sent at an unusual time.

Set up a phishing reporting process

We advise schools to set up a way for staff to report phishing emails. It is best to use a specific email only for this purpose so that IT staff aren't tricked by forwarded emails themselves. Maybe phishing@schoolname.com. Staff can also use this address if they think they have fallen for a phishing email.

Share incidents internally and with other schools
The quickest way to reduce the risk of regional or group attacks is to share intelligence and incidents with others. If email accounts have been compromised, let others know to be vigilant. If you receive a suspicious email purporting to be from a known source, screenshot it and share it internally and with other schools. The emails the attackers send to the different schools are likely to be similar in tone and content.

What if your suppliers experience business email compromise?

This kind of attack can happen to your suppliers too. Once criminals have compromised their email, they can send fake invoices with different bank account details.

Be on extra alert if your school is undergoing major work, and always check if suppliers change their bank details. 

Case study

Recently, a school trust in England lost almost £400,000 in this way. They were tricked into paying invoices into a fraudulent bank account they thought was their builder’s.

Contact the sender via another means

If you’re suspicious about an email or message, always err on the side of caution. Find alternative contact details for that person, such as a phone number that isn’t included in the email. Call them and ask them if they have sent the message. It’s always better to be safe than sorry.

What happens if staff do fall for an attack?

This type of sophisticated attack can trick anyone, and colleagues need to feel confident they can report mistakes without blame or incrimination. The incident response process can then be put into action.

Read about cyber incident response planning in our community. Click the image to join.