The importance of anti-phishing training for staff members has been highlighted this week following a major incident in Denver. A targeted Denver Public Schools phishing scam saw at least 30 members of staff divulge their usernames and passwords to scammers.
The Denver Public Schools phishing scam enabled attackers to gain access to accounts, which allowed information to be gained to access to the school district’s payroll system. The attackers changed the routing numbers for payments to employees and directed the payments to their own accounts. More than $40,000 that had been set aside to pay staff wages was stolen.
Staff members have now been paid and efforts are continuing to recover the stolen funds. At least 14 direct deposits were made and have not been recovered. The school district is hoping that the payments will be covered by an insurance policy. The incident has been reported to the Colorado Bureau of Investigation and the incident is being investigated to try to identify the individuals behind the scam.
The Denver Public Schools phishing scam was highly convincing; however, questions will be asked about how so many employees fell for the scam and disclosed their login credentials. The school district has confirmed that efforts were made to educate its employees on the risk of phishing prior to the attack taking place.
Denver Public Schools employs 13,991 members of staff. The response percentage was therefore very low, but it can only take one individual to respond to such a scam for serious financial harm to be caused.
A Bad Year for Phishing Attacks on Schools
Phishing attacks on schools are commonplace, but this year has seen attacks soar. For instance, in 2017, there have been 141 reported W-2 phishing scams, 33 of which affected schools, colleges and universities.
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo
While phishing scams used to be fairly easy to detect, now they are becoming much more sophisticated. It is now not easy to tell a phishing email from a real email request. The attackers use spoofing techniques to make the emails appear as if they have been sent from within the organization. Genuine email accounts may even be compromised and used for phishing attacks. Last month, the Digital Citizens Alliance reported finding millions of .edu email addresses listed for sale on the dark web. Those email addresses are often used for phishing scams as they are trusted.
Phishing emails are often free from the spelling and grammatical errors that were commonly seen in spam emails in years gone by. The emails often contain lifted branding, images and formatting, which makes them highly convincing. The requests for information may also seem reasonable.
How to Prevent Phishing Attacks
Providing anti-phishing training for staff is now an essential cybersecurity defense; however, it is also important to ensure that training has had the desired effect and has been taken onboard. Schools should therefore conduct dummy phishing exercises to identify the effectiveness of their training programs. Research has shown that with practice, employees get much better at identifying phishing scams.
Technological solutions should also be implemented to prevent spam emails from reaching end users’ inboxes. Advanced anti-spam solutions such as SpamTitan do not rely on blacklists to identify emails as spam. Blacklists are used along with a host of front end controls and emails are subjected to Bayesian analyses to identify common spam signatures. Rules can be set to reduce the risk of email spoofing.
If you are interested in finding out more about the range of technological solutions that can be employed to reduce the risk of phishing attacks, contact the TitanHQ team today.