Cyber Threats

School phishing and ransomware: how to win the battle

Learn how to combat the rising of phishing and ransomware in schools, and ensure a safe environment for students.

April 17, 2024

The educational sector is facing a surge in cyber threats, with a notable concern being school phishing and ransomware. There were over 1,600 cyber incidents targeting public K-12 schools between 2016 and 2022, with more than 50 publicly disclosed ransomware attacks reported per year.. Most recently, an attack on a New Haven school stands as a glaring testament to the vulnerability of schools: cyber criminals siphoned off $6 million from the district, exploiting the email exchanges between the COO, the city's budget office, and vendors, ultimately impersonating the COO for six separate fraudulent transfers.

Ransomware and phishing are serious issues confronting schools and school system administrators, as well as their IT departments.

Why educational institutions are targeted by ransomware

Educational institutions, often seen as soft targets, bear the brunt of a disproportionate amount of school ransomware attacks. The abundance of personal data and often inadequate security systems make them lucrative targets. Surprisingly, sometimes, the culprits are insiders: students aiming for pranks or vandalism. Such internal threats underscore the necessity for comprehensive security solutions that look both outward and inward. Understanding regular schools and K-12 cybersecurity risks requires addressing several factors:

  • Valuable data assets
  • Limited budgets
  • Diverse user base
  • Decentralized IT systems
  • Lack of cybersecurity expertise
  • Remote learning and BYOD
infographic explaining why educational institutions are targeted by ransomware

The increase in school phishing attacks

In recent years, the frequency and sophistication of phishing attacks targeting educational institutions have escalated dramatically. This increase is not only a reflection of the broader trends in cybercrime but also a stark indicator of the vulnerabilities specific to the educational environment.

Trends and implications

The rise in phishing attacks correlates with several broader trends:

  • Increased digital dependency: As schools continue to integrate technology into every aspect of administration and learning, the potential points of vulnerability multiply. This digital expansion provides fertile ground for cybercriminals.
  • Remote learning environments: The shift towards remote and hybrid learning models has expanded the attack surface dramatically. Home networks typically lack the robust security measures found in institutional settings, making them easier targets for phishing exploits.
  • Low awareness levels: Often, the success of a phishing attack hinges on the level of cybersecurity awareness among staff and students. Unfortunately, regular and comprehensive training is not always a priority in educational settings, leading to a higher rate of successful attacks.

Most common types of school phishing attacks

Schools face an array of cyber threats. IT administrators must remain vigilant, understanding that cybercriminals are always devising new strategies to infiltrate systems.

  • Email phishing: Email phishing is a deceitful tactic where cybercriminals send emails masquerading as trustworthy entities to extract personal information. These malicious emails often contain links or downloads that, once clicked, can infect systems or steal data.
  • Spear phishing, or targeted email phishing: Spear phishing takes regular phishing up a notch. Here, the attacker carefully curates an email to target specific individuals or organizations. By personalizing the attack, the success rate becomes significantly higher, making it extremely dangerous.
  • Whaling, or targeted emails impersonating a senior player at an organization: Whaling is a sophisticated form of spear phishing that zeroes in on top-tier executives. The previously mentioned New Haven crisis is an archetypal example where cybercriminals impersonated a senior executive, resulting in massive financial losses, and like this one, there are multiple examples of successful whaling attacks in schools.
  • ‍”Vishing” or phone call phishing: Vishing is the telephonic counterpart of email phishing, where scammers pose as legitimate entities over the phone. Now, with AI-trained voices, cybercriminals are creating more convincing and deceptive calls, raising the stakes even higher.
  • ‍”Smishing” or phishing by SMS text: Smishing employs text messages to deceive recipients. Cybercriminals send texts prompting recipients to click links or call numbers, leading to potential data theft or system compromise.

School phishing attacks on districts

A digital illustration depicting the concept of phishing attacks in K-12 institutions in a landscape format

A phishing attack involves tricking the recipient of an email to download malware, visit a fraudulent website or open a file containing malware. Spear phishing, a variant on the attack method, personalizes the attack, making it seem as if an email is coming from a friend or colleague. Both have the same effect.

School districts are vulnerable to phishing attacks. One reason is that employees may have low levels of awareness of school phishing dangers. Also, district employees may not find it strange to get a PDF or Word document sent by an unknown person. "It could be from a parent of a student," they might think, so they open the document and then…problems. Phishing attacks can also have the victims filling out forms on fraudulent websites that lead to invoices and payments to entities that look legitimate but are, in fact, criminal enterprises.

Keith R. Krueger, chief executive of the Consortium for School Networking, a group that represents school technology employees, described the phishing risk exposure in the New York Times by noting, “Cyberattacks on school districts and other organizations begin when an employee — perhaps someone in the financial office, where a lot of sensitive information is stored — opens an email that appears to have come from a supervisor or even the district superintendent, but in fact carries malware that compromises the employee’s computer and the district’s network.”

Recent examples of school phishing attacks against educational institutions include:

  • Spotsylvania Schools – the phishing attackers posed as contractors to the district and were able to defraud Spotsylvania, Virginia schools of over $600,000. Law enforcement has been able to recover about half the money.
  • Lancaster University – this college experienced a data breach that began with a phishing attack. Attackers accessed college application data and sent fraudulent invoices to applicants.

The increase in school ransomware attacks 

While Ransomware attacks aren’t new, they are increasingly common. In fact, in 2021, ransomware incidents were the most frequently reported cyber attack in schools for the first time in history. At least 45 schools experienced a ransomware attack in 2022.

Ransomware is a hacking technique that involves encrypting the target’s data and demanding a ransom (paid in cryptocurrency like Bitcoin) in exchange for de-encrypting it. 

For the attacker to succeed, he or she must gain access to the school system’s network, servers and databases. Apparently, it’s not hard to hack a school, as was revealed at the 2019 Def Con hacker conference.

At the conference, an 18-year-old student/hacker named Bill Demirkapi revealed multiple vulnerabilities in software used at his school. These included exploitable vulnerabilities in Blackboard's Community Engagement software and Follett's Student Information System. Demirkapi demonstrated that he could conduct SQL injection and XML inclusion attacks that would enable him to steal personally identifiable information or even modify his grades.

Notable recent examples of school ransomware attacks affecting school districts include:

  • Minneapolis School District – In early 2023, a ransomware attack affected over 100,000 individuals throughout the district after MSD refused to pay a $1 million ransom to a hacker. The stolen information included names and addresses, social security numbers, state student numbers, and health insurance data.
  • Los Angeles Unified School District (LAUSD)– In one of the biggest education breaches in recent years, at least 500 gigabytes of data was stolen and released in October 2022 when a Russian-speaking group initiated a ransomware attack against LAUSD and the district refused to pay. The personal information - including passport, social security details, and banking information - of some students, staff, and family members was published.
  • Louisiana schools – Three school districts in this state were struck by a ransomware attacker in July, 2019. The attack crippled several phone and IT systems. The Governor activated its emergency cybersecurity powers (created for just this kind of incident) This move makes it possible for the state to bring in the National Guard along with cyber experts and law enforcement. The schools lost all of their current data, but claim that no personal data was exposed.
  • Columbia Falls School District – The Columbia Falls, Georgia, district was attacked and threatened with a data lockup unless the hackers received $150,000. The attack featured strange, violent statements that at first were not understood to be part of a hacking attack - along with the threat to expose student names, addresses, and grades.

Most common types of school ransomware attacks

With cyberattacks on the rise, understanding the different types of ransomware is paramount:

  • Locky: Originally discovered in 2016, Locky ransomware rapidly became one of the most widespread malware strains. Once inside a system, it encrypts a wide array of document formats, renaming them with a ".locky" extension. Victims are then presented with a ransom note, demanding payment in exchange for the decryption key.
  • Cerber: This ransomware stands out due to its cloud-based nature, primarily targeting Office 365 users. Cerber encrypts files, renaming them with a random set of numbers and letters. It then demands a ransom, typically in Bitcoin. What's even more menacing is its ability to avoid detection by utilizing machine learning to analyze and adapt to its environment.
  • SamSam and WannaCry: SamSam and WannaCry are two of the most common and potent threat vectors for ransomware attacks. They both exploit unpatched systems. SamSam is dedicated to ransomware software. It’s not available on dark web “stores” for common use like tools like Locky and others. SamSam is manually deployed on the target’s networks. It can lurk undetected inside networks for months. WannaCry, a worm, is automated. Both encrypt data on systems they infect.

Best practices to combat school phishing and ransomware

Educational institutions house a wealth of sensitive data, making them prime targets for cybercriminals. To ensure the safety of this data and the uninterrupted functioning of the education process, it's essential to establish comprehensive cybersecurity best practices. 

From ensuring robust email protection to creating backup protocols, schools need to adopt a 360-degree approach, addressing every vulnerability and fortifying every potential breach point. Recognizing and addressing cybersecurity threats for IT professionals in education is pivotal to safeguarding these valuable assets.

1. Deploy multiple-layered security controls defense

illustration of deploying multiple layered security controls defense

A multiple-layered security approach involves implementing several protective layers to deter potential breaches. Like a fortress with walls, moats, and guards, a digital system protected through a layered approach ensures that even if one line of defense is penetrated, others remain intact to provide ongoing protection. This strategy is highly effective as it ensures that systems are not overly reliant on a single security measure. The core idea is to create redundancy in security defenses, making it more challenging for an attacker to breach the system.

This approach implements multiple security measures at various levels:

  • Network segmentation and monitoring: By splitting the network into distinct segments, schools can ensure that a breach in one segment doesn't compromise the entire system. 
  • Identity and access security: It's crucial to ensure that only authorized individuals can access specific parts of the network and sensitive data. By implementing role-based access controls, institutions can define who can view or modify particular resources.
  • Endpoint security and advanced protection: Tools that provide advanced endpoint detection can monitor these devices in real-time, identifying and countering any malicious activities.
  • Email security: Proper email security measures include advanced spam filters, malware scanners, and phishing detectors.
  • Web security: With vast amounts of educational resources now online, ensuring web security is essential. This means having active firewalls in place and filters that prevent users from accessing harmful online content or malicious websites.
  • Data security and backups: Regular data backups, stored both onsite and offsite, ensure that institutions can quickly recover critical information.

2. Establish clear policies and procedures

illustration showing how to establish clear policies and procedures to prevent ransomware in schools

Clear and robust policies and procedures lie at the heart of any solid cybersecurity framework. They serve as the guiding blueprint, detailing how staff and students should interact with institutional systems and data. From detailing response plans in the event of a cyber incident to defining acceptable IT behaviors, these policies and procedures ensure that all users are aligned in their approach to cybersecurity.

3. Develop and implement a cyber incident response plan

A cyber incident response plan outlines actions to take in the face of a cybersecurity breach. The National Institute of Standards and Technology incident response life cycle involves four phases: Preparation, Detection and Analysis, Containment, Eradication, and Recovery, and Post-Event Activity.

Each phase is designed to mitigate the impact of an incident and facilitate a swift return to normalcy: Preparation readies teams with resources and directives; Detection and Analysis swiftly identify and assess threats; Containment, Eradication, and Recovery isolate, remove, and restore systems; and Post-Event Activity involves analysis and improvement for enhanced future defenses. If you want to know more about incident response planning, you can read it in our dedicated section here.

Having a clear procedure in place ensures optimal reaction. Here’s an example of a ransomware response procedure:

  1. Isolate infected systems
  2. Report the incident
  3. Determine the ransomware type
  4. Restore from backup if possible
  5. Strengthen defenses:

4. Create IT security policies for staff

IT and security policies for staff provide guidelines on acceptable behavior, device usage, and data handling. Password Policies mandate strong, unique passwords to reduce unauthorized access risks, often requiring regular password changes and prohibiting easily guessable passwords.

Acceptable Use policies outline permitted activities on company devices and networks, preventing misuse for personal tasks or accessing harmful websites. You can learn more about security policies for schools in our dedicated section here.

5. Implement ongoing monitoring and security testing procedures

illustration of ongoing monitoring and security testing procedures

Effective cybersecurity isn't just about the defenses in place but also about the vigilance to detect and respond to threats. Schools must embrace monitoring and testing as proactive measures to keep their digital environment safe. By regularly overseeing system activities and subjecting those systems to real-world simulated threats, institutions can unearth vulnerabilities, enhance security protocols, and ensure preparedness against evolving cyber threats.

  • Log monitoring and analysis: Regularly monitoring and analyzing these logs allow IT professionals to understand patterns, detect inconsistencies, and respond to threats in real-time.
  • Backup testing: By testing backups, schools can identify potential issues, like data corruption or incomplete backups, and take corrective measures before an actual disaster strikes.
  • Simulation exercises: Simulation exercises, like mock phishing campaigns or controlled ransomware attacks, are helpful to test the team's response time, effectiveness, and coordination.
  • Continuous threat hunting: This involves proactively seeking signs of malicious activity within a system rather than waiting for automated alerts.

6. Train your staff

Illustration about the importance of staff education in schools

The human element is often the weakest link in cybersecurity. Staff, unless informed and updated, can inadvertently expose systems to risks. Regular cybersecurity training sessions help bridge this knowledge gap. These sessions, encompassing workshops, webinars, and seminars, equip staff with knowledge about the latest threats, safe online practices, and response strategies. Such ongoing education fosters a culture of cyber-awareness, transforming staff from potential vulnerability points into active defenders.

Teach the importance of identifying school phishing attempts

Phishing is a major cyber threat, and detecting it is crucial. Despite its apparent simplicity, school phishing attacks are growing more sophisticated. Here are signs to help distinguish genuine communication from phishing attempts:

  1. Suspicious attachments: Hackers often send unexpected emails with harmful attachments. Treat such attachments with caution. They can install malware or lead to harmful sites.
  2. Unusual requests, especially financial: Phishers mimic trusted sources to ask for money or sensitive data. Be cautious of unusual, urgent, or secretive requests. Verify through another channel before responding.
  3. Check links: Hover over links to see the real URL. Mismatched URLs or slight misspellings indicate phishing.
  4. Sensitive information requests: Legitimate entities won’t ask for passwords or PINs via email. Treat such emails with suspicion.

Provide information about safe online practices to follow

Online security is a mix of tools, defenses, and user habits. Practicing good digital hygiene can significantly bolster your safety. Here's a concise list of risky online behaviors to avoid:

  1. Weak passwords: Sharing passwords jeopardizes data and opens doors to broader breaches. Using one password across multiple accounts is risky.
  2. Public Wi-Fi risks: Avoid sensitive tasks on public Wi-Fi due to its insecurity. Use a VPN for encryption.
  3. Unverified software: Download from trusted sources. Check reviews and certifications, and stick to official app stores.

Suspect email attachments: Beware of email attachments, even from contacts. Scan with antivirus software before opening.

Bonus: additional measures

additional measures to prevent ransomware and phishing in schools

To fortify their digital infrastructure, educational institutions must go beyond traditional security protocols. Advanced measures tailored to the unique needs and challenges of the educational sector can provide an extra layer of protection.

Cyber insurance

Just as we insure our cars and homes, we need to think about insuring our digital presence, too. Enter Cyber Insurance. It's a specialized insurance coverage designed to safeguard businesses against the financial repercussions of cyber threats and attacks, like the damages caused by ransomware or DDoS attacks. Whether it's a sophisticated hack or a misplaced laptop, cyber insurance can be a financial lifesaver.

External security audits

Imagine going for a routine health check-up but for your organization's cybersecurity system. That's essentially what an external security audit is. External experts dive deep into your systems, identifying vulnerabilities and weak points. These audits provide an unbiased review of the organization's security posture, ensuring that all aspects are up to par.

Limiting third-party access

While collaboration and integration are the backbones of many successful businesses, there's a hidden risk that often goes unnoticed: third-party access. By giving third-party apps or vendors extensive or unprotected access to organizational systems, you're opening doors to potential security threats.

These are some of the most recent examples of third-party data breaches:

  • U.S. School Districts: Illuminate Education breach exposed data in major school districts like NYC and Los Angeles. Chicago Public Schools saw 495,000 student records exposed through an attack on a third-party provider.
  • Microsoft: HAFNIUM attacks compromised on-premises Microsoft Exchange Servers of 30,000 global organizations. A subsequent breach exposed 38 million records through a vulnerability in Microsoft Power Apps.
  • Uber: A third-party breach compromised the email addresses and data of over 77,000 Uber employees. A similar breach targeted DoorDash via a connected vendor's stolen credentials.

Asset inventory for risk assessments

At the heart of robust cybersecurity lies an intimate understanding of what you're protecting. Asset inventory is a thorough accounting of all organizational assets, be they physical or digital. Once you know what's at stake, risk assessments step in, analyzing the likelihood of threats to these assets and the potential damage they can cause. Together, these tools give organizations a clear roadmap of where their defenses need to be strongest.

These are the main benefits of implementing asset inventory tools:

  • Full visibility of devices for security operations
  • Mitigating shadow IT
  • Enhancing incident response
  • Resource allocation and budgeting
  • Meeting compliance requirements

infographic explaining the main benefits of implementing asset inventory tools


School phishing and ransomware threats are serious and will likely continue until they are stopped by stronger security countermeasures. There is a lot at stake! Student and family privacy is at risk. Schools cannot fulfill their educational missions and state-mandated requirements if their systems are locked up. 

Defense is possible, however. With a focus on cybersecurity basics, an advisory from experienced third parties, and perhaps reliance on MSSPs, schools, and school districts can reduce their exposure to ransomware and phishing risks.

On the same issue

Cybersecurity threats in educational institutions

Learn about the top cybersecurity threats faced by schools, and what are some ways to reduce their impact on students and staff.

April 30, 2024
keep reading
Dark Web Cyber Threats: Explore the Dark secrets

Explore the Dark Web secrets. Essential for IT managers to boost security to fight online dangers. Learn how!

March 19, 2024
keep reading
How to combat ai-enhanced cyber attacks

Discover how AI reshapes cybersecurity battles and uncover its double-edged impact. Explore further now!

March 11, 2024
keep reading
Spear phishing protection strategies: what you need to know

Phishing attacks, particularly spear phishing, have emerged as significant threats to organizational security, capable of causing severe financial and reputational damage. Learn how to protect yourself against it.

February 26, 2024
keep reading