Phishing is one
of many growing
security threats
to schools

Author: Gary Hilson

Security threats to schools are just as prominent as they are in the business world.

With 2020 described as a "record-breaking" year for cyber attacks against K-12 public schools in the U.S., the verdict for 2021 should be in soon. It may not be too different, as students, teachers and staff access learning materials and teaching resources online through a variety of devices like tablets or laptop computers. The many attack surfaces increase the number of security risks to schools, including distributed denial of service (DDoS) attacks, malware and ransomware. However, one of the most common methods threat actors use is phishing.

Phishing uses social engineering and fraudulent messages to unwittingly recruit users to help them deploy malicious software. Given the high volume of attacks lobbed at both K-12 and higher education institutions, any defense strategy must include steps to help mitigate security threats.  Cloud computing in education allows students the ability to access their homework wherever there's an internet connection and faculty to access that homework or upload coursework, which broadens the threat landscape.

Phishing as a security threat to schools

The many types of phishing attacks that pose security threats to schools have been compounded by cloud computing in education as the need for remote access to communications and courseware has risen during the COVID-19 pandemic. They include email phishing, HTTPS phishing, spear phishing (targeted email phishing), whaling (targeted emails impersonating a senior player at an organization), vishing (phone call phishing), smishing (phishing by SMS text), among others. 

Using an email or a phone call to get someone to make a change to an account or divulge information is one of the most common types of phishing; criminals direct you to a link to provide sensitive data and instill fear that something awful may happen if you don't act with urgency, which is a red flag. These emails or calls may be in the form of a warning from a government agency. Rather than act immediately, you might consider telling the caller you'll get back to them, and as a good rule of thumb, avoid clicking on a link in an email. 

Successful phishing emails may appear professional, as do fake websites. You can spot the latter by their URLs—because they often contain typos—or by branding that looks off, such as company logos that don't have the proper colors. But websites aren't the only things that can be copied to look like the real thing—so can wireless connections. These are more likely to impact a distributed campus than a single high school, as this form of phishing attack can create a free yet fraudulent Wi-Fi access point that allows criminals to see user data. Consider checking to make sure you're connecting to the right free hotspot or otherwise avoid them completely.

The appeal of free Wi-Fi has risen with the adoption of smartphones, which many students have, and it's another vector for security threats to schools.  Phishing attacks could be in the form of emails or SMS text messages. Again, it's all about getting users to click on a link they shouldn't; it's best not to click on an SMS link unless you're certain of its origin and the sender.

How to identify and prevent phishing attacks in education

Because security threats to schools are as relentless as those to businesses, robust cyber security policies and user awareness training are critical, especially because user tech acumen varies widely across student age groups, faculty and staff. 

Educating students, faculty and staff on what a phishing email looks like or how to spot a fake website or text can help bolster your defenses.  Make sure all school Wi-Fi access points require authentication, so everyone can assume that free ones are fake. Ensuring that all computers within an institution use an anti-phishing toolbar in the default browser can help create a standard defense. Cloud computing in education offers many toolsets to help mitigate security threats.

Cloud-based applications with security baked in can help reduce security threats to schools in part by reducing the IT teams’ workloads. Using threat detection services which integrate with cloud applications to scan files before you download them helps to make sure their content is safe. Some cloud applications, like Google Drive, display file ownership information that can help inform what you do with a file.  To help ensure that cloud apps are free from security vulnerabilities and have a strong security posture, you can perform security assessments, including penetration testing, vulnerability testing, configuration reviews, source code reviews and more. Cloud apps can help you develop and deliver an end-to-end security program.

Learn more about how cloud computing in education can enable robust cyber security.

The author of this content is a paid contributor for Verizon.