Cyber Threats

The battle against school phishing and ransomware issues

Explore the cybersecurity measures to combat the rising threat of school phishing and ransomware. Learn how to safeguard students’ sensitive data.

November 16, 2023

The educational sector is facing a surge in cyber threats, with a notable concern being school phishing and ransomware. There were over 1,600 cyber incidents targeting public K-12 schools between 2016 and 2022, with more than 50 publicly disclosed ransomware attacks reported per year.. Most recently, anattack on a New Haven school stands as a glaring testament to the vulnerability of schools: cyber criminals siphoned off $6 million from the district, exploiting the email exchanges between the COO, the city's budget office, and vendors, ultimately impersonating the COO for six separate fraudulent transfers. Ransomware and phishing are serious issues confronting schools and school system administrators, as well as their IT departments.

Why educational institutions are targeted by ransomware

infographic explaining why educational institutions are targeted by ransomware

Educational institutions, often seen as soft targets, bear the brunt of a disproportionate amount of school ransomware attacks. The abundance of personal data and often inadequate security systems make them lucrative targets. Surprisingly, sometimes, the culprits are insiders: students aiming for pranks or vandalism. Such internal threats underscore the necessity for comprehensive security solutions that look both outward and inward.

  • Valuable data assets
  • Limited budgets
  • Diverse user base
  • Decentralized IT systems
  • Lack of cybersecurity expertise
  • Remote learning and BYOD

Type of threats currently impacting schools

Schools face an array of cyber threats. It's not just about phishing or ransomware. IT administrators must remain vigilant, understanding that cybercriminals are always devising new strategies to infiltrate systems.

  • Email phishing: Email phishing is a deceitful tactic where cybercriminals send emails masquerading as trustworthy entities to extract personal information. These malicious emails often contain links or downloads that, once clicked, can infect systems or steal data.
  • Spear phishing, or targeted email phishing: Spear phishing takes regular phishing up a notch. Here, the attacker carefully curates an email to target specific individuals or organizations. By personalizing the attack, the success rate becomes significantly higher, making it extremely dangerous.
  • Whaling, or targeted emails impersonating a senior player at an organization: Whaling is a sophisticated form of spear phishing that zeroes in on top-tier executives. The previously mentioned New Haven crisis is an archetypal example where cybercriminals impersonated a senior executive, resulting in massive financial losses, and like this one, there are multiple examples of successful whaling attacks in schools.
  • Vishing or phone call phishing: Vishing is the telephonic counterpart of email phishing, where scammers pose as legitimate entities over the phone. Now, with AI-trained voices, cybercriminals are creating more convincing and deceptive calls, raising the stakes even higher.
  • Smishing, or phishing by SMS text: Smishing employs text messages to deceive recipients. Cybercriminals send texts prompting recipients to click links or call numbers, leading to potential data theft or system compromise.

The increase in school ransomware attacks 

While Ransomware attacks aren’t new, they are increasingly common. In fact, in 2021, ransomware incidents were the most frequently reported cyber attack in schools for the first time in history. At least 45 schools experienced a ransomware attack in 2022.

Ransomware is a hacking technique that involves encrypting the target’s data and demanding a ransom (paid in cryptocurrency like Bitcoin) in exchange for de-encrypting it. For the attacker to succeed, he or she must gain access to the school system’s network, servers and databases. Apparently, it’s not hard to hack a school, as was revealed at the 2019 Def Con hacker conference.

At the conference, an 18-year-old student/hacker named Bill Demirkapi revealed multiple vulnerabilities in software used at his school. These included exploitable vulnerabilities in Blackboard's Community Engagement software and Follett's Student Information System. Demirkapi demonstrated that he could conduct SQL injection and XML inclusion attacks that would enable him to steal personally identifiable information or even modify his grades.

Notable recent examples of school ransomware attacks affecting school districts include:

  • Minneapolis School District – In early 2023, a ransomware attack affected over 100,000 individuals throughout the district after MSD refused to pay a $1 million ransom to a hacker. The stolen information included names and addresses, social security numbers, state student numbers, and health insurance data.
  • Los Angeles Unified School District (LAUSD)– In one of the biggest education breaches in recent years, at least 500 gigabytes of data was stolen and released in October 2022 when a Russian-speaking group initiated a ransomware attack against LAUSD and the district refused to pay. The personal information - including passport, social security details, and banking information - of some students, staff, and family members was published.
  • Louisiana schools – Three school districts in this state were struck by a ransomware attacker in July, 2019. The attack crippled several phone and IT systems. The Governor activated its emergency cybersecurity powers (created for just this kind of incident) This move makes it possible for the state to bring in the National Guard along with cyber experts and law enforcement. The schools lost all of their current data, but claim that no personal data was exposed.
  • Columbia Falls School District – The Columbia Falls, Georgia, district was attacked and threatened with a data lockup unless the hackers received $150,000. The attack featured strange, violent statements that at first were not understood to be part of a hacking attack - along with the threat to expose student names, addresses, and grades.

Types of ransomware

Ransomware is malicious software that encrypts a victim's files, demanding a ransom from the victim to restore access. With cyberattacks on the rise, understanding the different types of ransomware is paramount. Here are some of the common types:

  • Locky: Originally discovered in 2016, Locky ransomware rapidly became one of the most widespread malware strains. Once inside a system, it encrypts a wide array of document formats, renaming them with a ".locky" extension. Victims are then presented with a ransom note, demanding payment in exchange for the decryption key.
  • Cerber: This ransomware stands out due to its cloud-based nature, primarily targeting Office 365 users. Cerber encrypts files, renaming them with a random set of numbers and letters. It then demands a ransom, typically in Bitcoin. What's even more menacing is its ability to avoid detection by utilizing machine learning to analyze and adapt to its environment.
  • SamSam and WannaCry: SamSam and WannaCry are two of the most common and potent threat vectors for ransomware attacks. They both exploit unpatched systems. SamSam is dedicated to ransomware software. It’s not available on dark web “stores” for common use like tools like Locky and others. SamSam is manually deployed on the target’s networks. It can lurk undetected inside networks for months. WannaCry, a worm, is automated. Both encrypt data on systems they infect.

School phishing attacks on districts

A digital illustration depicting the concept of phishing attacks in K-12 institutions in a landscape format

A phishing attack involves tricking the recipient of an email to download malware, visit a fraudulent website or open a file containing malware. Spear phishing, a variant on the attack method, personalizes the attack, making it seem as if an email is coming from a friend or colleague. Both have the same effect.

School districts are vulnerable to phishing attacks. One reason is that employees may have low levels of awareness of school phishing dangers. Also, district employees may not find it strange to get a PDF or Word document sent by an unknown person. "It could be from a parent of a student," they might think, so they open the document and then…problems. Phishing attacks can also have the victims filling out forms on fraudulent websites that lead to invoices and payments to entities that look legitimate but are, in fact, criminal enterprises.

Keith R. Krueger, chief executive of the Consortium for School Networking, a group that represents school technology employees, described the phishing risk exposure in the New York Times by noting, “Cyberattacks on school districts and other organizations begin when an employee — perhaps someone in the financial office, where a lot of sensitive information is stored — opens an email that appears to have come from a supervisor or even the district superintendent, but in fact carries malware that compromises the employee’s computer and the district’s network.”

Recent examples of school phishing attacks against educational institutions include:

  • Spotsylvania Schools – the phishing attackers posed as contractors to the district and were able to defraud Spotsylvania, Virginia schools of over $600,000. Law enforcement has been able to recover about half the money.
  • Lancaster University – this college experienced a data breach that began with a phishing attack. Attackers accessed college application data and sent fraudulent invoices to applicants.

Best practices for keeping schools secure from cyberthreats

Educational institutions house a wealth of sensitive data, making them prime targets for cybercriminals. To ensure the safety of this data and the uninterrupted functioning of the education process, it's essential to establish comprehensive cybersecurity best practices. From ensuring robust email protection to creating backup protocols, schools need to adopt a 360-degree approach, addressing every vulnerability and fortifying every potential breach point.

Deploy multiple-layered security controls defense

A multiple-layered security approach involves implementing several protective layers to deter potential breaches. Like a fortress with walls, moats, and guards, a digital system protected through a layered approach ensures that even if one line of defense is penetrated, others remain intact to provide ongoing protection. This strategy is highly effective as it ensures that systems are not overly reliant on a single security measure. The core idea is to create redundancy in security defenses, making it more challenging for an attacker to breach the system.

This approach implements multiple security measures at various levels:


By splitting the network into distinct segments, schools can ensure that a breach in one segment doesn't compromise the entire system. Monitoring these segments for unusual activities allows for the quick detection of threats, thereby limiting potential damage. With real-time alerts, IT teams can act promptly, isolating compromised sections and mitigating risks.


It's crucial to ensure that only authorized individuals can access specific parts of the network and sensitive data. By implementing role-based access controls, institutions can define who can view or modify particular resources. This minimizes the risk of internal breaches or inadvertent data sharing, ensuring that even within the institution, data is on a need-to-know basis.


Every device connecting to the school's network is a potential entry point for threats. Tools that provide advanced endpoint detection can monitor these devices in real-time, identifying and countering any malicious activities. This layer includes antivirus and anti-malware software; tools for device lock, wiping, and encryption are also essential. It's also useful to know which devices are connected, what software they're running, and ensure they comply with institutional security policies. Tools like Prey can aid in tracking, managing, and recovering assets, thereby offering a comprehensive view of network-connected devices.


Given the rampant use of school phishing tactics targeting educational institutions, strengthening email security is paramount. Proper email security measures include advanced spam filters, malware scanners, and phishing detectors. By ensuring that suspicious emails don't reach the inboxes of staff and students, institutions can significantly reduce the risk of malicious links being clicked and sensitive information being shared.


With vast amounts of educational resources now online, ensuring web security is essential. This means having active firewalls in place and filters that prevent users from accessing harmful online content or malicious websites. It also includes enforcing SSL certificates on institutional websites and portals, ensuring encrypted communication between the user's browser and the web server.


Data security involves encryption, secure storage, and backup solutions to safeguard critical information. Regular data backups, stored both onsite and offsite, ensure that institutions can quickly recover critical information. Schools should also periodically test these backups to ensure data integrity and confirm the restoration process works smoothly.

Establish clear policies and procedures

Clear and robust policies and procedures lie at the heart of any solid cybersecurity framework. They serve as the guiding blueprint, detailing how staff and students should interact with institutional systems and data. From detailing response plans in the event of a cyber incident to defining acceptable IT behaviors, these policies and procedures ensure that all users are aligned in their approach to cybersecurity.

Cyber incident response plan

A cyber incident response plan outlines actions to take in the face of a cybersecurity breach. The National Institute of Standards and Technology incident response life cycle involves four phases: Preparation, Detection and Analysis, Containment, Eradication, and Recovery, and Post-Event Activity.

Each phase is designed to mitigate the impact of an incident and facilitate a swift return to normalcy: Preparation readies teams with resources and directives; Detection and Analysis swiftly identify and assess threats; Containment, Eradication, and Recovery isolate, remove, and restore systems; and Post-Event Activity involves analysis and improvement for enhanced future defenses. If you want to know more about incident response planning, you can read it in our dedicated section here.

Having a clear procedure in place ensures optimal reaction. Here’s an example of a ransomware response procedure:

  1. Isolate infected systems
  2. Report the incident
  3. Determine the ransomware type
  4. Restore from backup if possible
  5. Strengthen defenses:

IT security policies for staff

IT and security policies for staff provide guidelines on acceptable behavior, device usage, and data handling. Password Policies mandate strong, unique passwords to reduce unauthorized access risks, often requiring regular password changes and prohibiting easily guessable passwords.

Acceptable Use policies outline permitted activities on company devices and networks, preventing misuse for personal tasks or accessing harmful websites. You can learn more about security policies for schools in our dedicated section here.

Ongoing monitoring and security testing

Effective cybersecurity isn't just about the defenses in place but also about the vigilance to detect and respond to threats. Schools must embrace monitoring and testing as proactive measures to keep their digital environment safe. By regularly overseeing system activities and subjecting those systems to real-world simulated threats, institutions can unearth vulnerabilities, enhance security protocols, and ensure preparedness against evolving cyber threats.

Log monitoring and analysis

Every digital action leaves behind a trace in the form of logs. System logs are a treasure trove of information, capturing anomalies that might indicate a breach or an attempted attack. Regularly monitoring and analyzing these logs allow IT professionals to understand patterns, detect inconsistencies, and respond to threats in real-time. The process is akin to reviewing security camera footage and providing a detailed account of system interactions and potential threats.

Backup testing

Having backups is reassuring, but their real value is realized only when they work in a crisis. Therefore, periodic backup testing is paramount. It ensures that data recovery mechanisms function as intended and the stored data remains intact and retrievable. By testing backups, schools can identify potential issues, like data corruption or incomplete backups, and take corrective measures before an actual disaster strikes.

Simulation exercises

A school's cybersecurity response team can only gauge its readiness by facing simulated cyber threats. Simulation exercises, like mock phishing campaigns or controlled ransomware attacks, test the team's response time, effectiveness, and coordination. These exercises offer valuable insights into the team's strengths and areas needing improvement, ensuring the school is better prepared for real cyber onslaughts.

Continuous threat hunting

In the ever-evolving landscape of cyber threats, a passive approach is a recipe for disaster. Continuous threat hunting involves proactively seeking signs of malicious activity within a system rather than waiting for automated alerts. It's the digital equivalent of patrolling guards, where experts delve deep into systems, using tools and expertise to spot early indicators of potential breaches, ensuring faster containment and mitigation.

Staff education

The human element is often the weakest link in cybersecurity. Staff, unless informed and updated, can inadvertently expose systems to risks. Regular cybersecurity training sessions help bridge this knowledge gap. These sessions, encompassing workshops, webinars, and seminars, equip staff with knowledge about the latest threats, safe online practices, and response strategies. Such ongoing education fosters a culture of cyber-awareness, transforming staff from potential vulnerability points into active defenders.

Teach the importance of identifying school phishing attempts

Phishing is a major cyber threat, and detecting it is crucial. Despite its apparent simplicity, school phishing attacks are growing more sophisticated. Here are signs to help distinguish genuine communication from phishing attempts:

  1. Suspicious attachments: Hackers often send unexpected emails with harmful attachments. Treat such attachments with caution. They can install malware or lead to harmful sites.
  2. Unusual requests, especially financial: Phishers mimic trusted sources to ask for money or sensitive data. Be cautious of unusual, urgent, or secretive requests. Verify through another channel before responding.
  3. Check links: Hover over links to see the real URL. Mismatched URLs or slight misspellings indicate phishing.
  4. Sensitive information requests: Legitimate entities won’t ask for passwords or PINs via email. Treat such emails with suspicion.

Provide information about safe online practices to follow

Online security is a mix of tools, defenses, and user habits. Practicing good digital hygiene can significantly bolster your safety. Here's a concise list of risky online behaviors to avoid:

  1. Weak passwords: Sharing passwords jeopardizes data and opens doors to broader breaches. Using one password across multiple accounts is risky.
  2. Public Wi-Fi risks: Avoid sensitive tasks on public Wi-Fi due to its insecurity. Use a VPN for encryption.
  3. Unverified software: Download from trusted sources. Check reviews and certifications, and stick to official app stores.

Suspect email attachments: Beware of email attachments, even from contacts. Scan with antivirus software before opening.

Additional measures

To fortify their digital infrastructure, educational institutions must go beyond traditional security protocols. Advanced measures tailored to the unique needs and challenges of the educational sector can provide an extra layer of protection.

Cyber insurance

Just as we insure our cars and homes, we need to think about insuring our digital presence, too. Enter Cyber Insurance. It's a specialized insurance coverage designed to safeguard businesses against the financial repercussions of cyber threats and attacks, like the damages caused by ransomware or DDoS attacks. Whether it's a sophisticated hack or a misplaced laptop, cyber insurance can be a financial lifesaver.

External security audits

Imagine going for a routine health check-up but for your organization's cybersecurity system. That's essentially what an external security audit is. External experts dive deep into your systems, identifying vulnerabilities and weak points. These audits provide an unbiased review of the organization's security posture, ensuring that all aspects are up to par.

Limiting third-party access

While collaboration and integration are the backbones of many successful businesses, there's a hidden risk that often goes unnoticed: third-party access. By giving third-party apps or vendors extensive or unprotected access to organizational systems, you're opening doors to potential security threats.

These are some of the most recent examples of third-party data breaches:

  • U.S. School Districts: Illuminate Education breach exposed data in major school districts like NYC and Los Angeles. Chicago Public Schools saw 495,000 student records exposed through an attack on a third-party provider.
  • Microsoft: HAFNIUM attacks compromised on-premises Microsoft Exchange Servers of 30,000 global organizations. A subsequent breach exposed 38 million records through a vulnerability in Microsoft Power Apps.
  • Uber: A third-party breach compromised the email addresses and data of over 77,000 Uber employees. A similar breach targeted DoorDash via a connected vendor's stolen credentials.

Asset inventory for risk assessments

At the heart of robust cybersecurity lies an intimate understanding of what you're protecting. Asset inventory is a thorough accounting of all organizational assets, be they physical or digital. Once you know what's at stake, risk assessments step in, analyzing the likelihood of threats to these assets and the potential damage they can cause. Together, these tools give organizations a clear roadmap of where their defenses need to be strongest.

These are the main benefits of implementing asset inventory tools:

  • Full visibility of devices for security operations
  • Mitigating shadow IT
  • Enhancing incident response
  • Resource allocation and budgeting
  • Meeting compliance requirements

infographic explaining the main benefits of implementing asset inventory tools


School ransomware and phishing threats are serious and will likely continue until they are stopped by stronger security countermeasures. There is a lot at stake! Student and family privacy is at risk. Schools cannot fulfill their educational missions and state-mandated requirements if their systems are locked up. Defense is possible, however. With a focus on cybersecurity basics, an advisory from experienced third parties, and perhaps reliance on MSSPs, schools, and school districts can reduce their exposure to ransomware and phishing risks.

On the same Issue

Cyber threats on the rise: how to safeguard your data

Cyber threats are on the rise. Learn what they are and how to protect yourself in this comprehensive guide. Don't wait until it's too late!

August 23, 2023
keep reading
Cyber security threats in education institutions: the IT phantom menace

Discover the growing cyber security threats in education institutions. Explore strategies and tools to combat the dark forces of cybercrime.

July 26, 2023
keep reading
How to prevent data breaches in 2023: 5 essential tips

Discover 5 tips on how to prevent data breaches and mitigate the risk of financial losses, reputation damage, and legal liability.

March 13, 2023
keep reading
Log4J Vulnerability Explained, Mitigations & Recommendations

Learn how one of the most critical vulnerabilities on the internet today may affect your organization, and how you should mitigate its potential effects.

January 3, 2022
keep reading