A security firm recently sent a fake email to approximately 400 employees of Sioux Falls Catholic Schools. Don't worry, it was part of an educational exercise. Yet, the recipients generously shared personal information with the sender. They later found out the email had been a simulated phishing attack.
“It was definitely an eye-opener for our staff,” said Joe Hurley, director of IT for the school system, which includes six elementary schools, one junior high and one high school.
The fake email appeared to come from the school system’s IT department. It accused recipients of violating the school system’s Internet policy and directed them to click a link for more information. Then, it asked for their user name and password – valuable information to real-life scammers.
About 70 percent clicked the link and about half of them took the next step and provided their user name and password, Hurley said.
Sioux Falls Catholic Schools followed the fake attack with a half-day, in-service training session on what to look out for when using technology.
Training sessions to teach employees about phishing attacks and other technology-based scams are highly worthwhile. Institutions and businesses of all types and sizes are frequent targets of cyber thieves. Schools seem to be a popular target for email-based schemes, such as spear phishing.
In phishing attacks, fraudsters cast out hundreds or thousands of fake messages in hope of netting some usable information to sell or use. Spear phishing is a form of phishing that targets a specific group with emails that appear to come from someone they know.
Two financial offices at Sioux Falls Catholic Schools recently received fraudulent emails - supposedly from the school system’s president – that asked for sensitive payment information. Double-checks revealed that the president had not requested the information.
Another scam attempt was more successful. A caller claimed to represent Microsoft and convinced an employee to give them remote access to fix a computer problem. The caller had access to the computer for more than an hour.
Computers compromised like that typically must be cleaned and reprogrammed, Hurley said.
Public schools in South Dakota also have been popular targets lately. A message from the state’s K-12 Data Center to technical staffers at schools warned of an increase in spear phishing. Spammers posing as superintendents or other school administrators have targeted business managers with requests for information, such as employees’ W-2 information, the state email advised.
“Please ask your users to be very suspicious of any emails that request private employee information, financial information, or money transfers. It’s important to verify emails are legitimate before replying, sharing private employee information, or taking any action related to the district’s finances,” the Data Center advised.
There are ways to identify phishing attacks. Experts at SDN Communications in Sioux Falls have some suggestions:
- Always be cautious when using email.
- Look for spelling errors and strange phrasing in text.
- Beware of calls for immediate action.
- Double check link by hovering the mouse to see the actual URLs,
- Closely examine the “from” address. It might resemble a legitimate address but not be exact.
- Always be suspicious of emails that request personal information.
The FBI points out that most companies don’t request personal information via email. If in doubt, call the sender’s office. But don’t use the phone number in the email. It might be fake, too.
The law enforcement agency also says to never follow a link to a secure website. Type in the verified URLs manually.
Hurley points out the need to overcome politeness factors when dealing with thieves who operate online or a phone. For example, the Catholic schools teach students to be respectful of others. He assures students that it’s OK to abruptly to end interactions with people who are trying to steal information.
“Just hang up,” he tells them. You’re not being rude.”
Download SDN’s three cybersecurity posters, including one on phishing, to help raise cyber awareness at your business. Use the button below.