Phishing in Schools: Effective use of Phishing Campaigns in K-12
Let's face it: you're juggling a million things—from Wi-Fi that mysteriously drops during standardized testing to that one teacher who insists their 2007 laptop is "just fine." The last thing you need is a ransomware attack shutting down the whole district. But the bad guys aren't knocking; they're phishing. And they're getting really good at it. A recent study by CIS & MS-ISAC showed that user-targeted attacks are 45% more common than attacks targeting technical vulnerabilities.
So does buying the most expensive phishing and training solution make sense? Probably not.
Let’s start with the why - we all know the damage that a single compromised account or device can have. Data breaches are commonly caused by a user falling for a malicious link or email. Entire organizations have been taken out by a single compromised account. The operational, financial, and reputational damage caused by ONE bad phishing email can last for years.
Phishing simulation providers know the damage and will often give you the return on investment their product can give to you, but let’s break down the components first.
Mandatory Staff Training: Do you want a solution that enrolls teachers in remedial training?
Why: A well-trained teacher is less likely to fall for a fake invoice scam. Plus, it can help with compliance requirements to ensure that staff are trained. I know, I know, teachers have a lot on their plate, but this is non-negotiable in today's world.
My Take: If you can avoid automated required training, you should. Let's face it - teachers hate it, and all employees have a negative view of mandatory training. You can take the approach that it’s partially a punishment but the effectiveness of a training video is decreased when someone is forced to participate. There are engaging alternatives to the same old training videos:
In Person PD: Can your principal/superintendent give you 30 minutes in front of all staff at the beginning of the year to cover the same content? You can present data from the last year of phishing emails and cover the same content for 100% of staff with better engagement.
Staff Newsletter: Can you send tips in a staff newsletter? Or include a quiz that has a prize?
Interactive simulations: Use gamified simulations that put staff in real-world phishing scenarios. Google even has a free version that you can do on your own: https://phishingquiz.withgoogle.com/
Simulated Phishing Attacks: Friend or Foe?
Should you send super realistic emails that push the limits on timeliness? Should teachers receive a fake Christmas gift card in December?
My Take: Absolutely not.
Why: Simulated attacks can be incredibly effective in identifying who needs more training. But approach with caution.
Don't make it punitive or personal. The goal is education, not punishment. Similar to required training, you lose some of the effectiveness if the person has a negative response.
Vary the difficulty. Start with easy-to-spot fakes and gradually increase complexity. This also helps teachers “acclimate” to the phishing emails.
When you see a particularly dangerous one, send examples (i.e., screenshots) so they are aware of how dangerous phishing emails can be. “Attackers might send you fake gift cards during the holidays” is a much better approach than risking an angry staff member who received it from you.
Keep it realistic - prioritize templates that come from the Superintendent.
Budget Allocation: How Much is Enough?
Should you buy the most expensive product on the market? How much is too much? How much is too low?
My Take: Phishing simulation tools can quickly become the Christmas gift that’s set aside by New Year's. You’re probably not going to use all the bells and whistles of the fancy phishing tools, so start with a cheaper version and then graduate up if you outgrow it. I have never used our phishing tools to the full capacity of our license, yet the politics of school budgeting means that we’re less likely to downgrade a license once we have it.
Why: It's better to have layers of security tools than to invest heavily in a small number. I would rather have a lower-cost phishing simulation tool that allowed me to purchase a different tool that covered another area, like MFA keys for that last group of staff who refuse to use MFA!
You can find tons of free templates online, or your insurance provider may also have some resources.
The Bottom Line
Phishing and ransomware are a serious threat to schools. But with the right strategies, training, and tools, you can significantly reduce your risk. Don't wait until you're facing a ransom demand to take action. Be proactive, stay vigilant, and remember: we're all in this together. And if you ever need a hand, feel free to reach out!
