3 Key Takeaways
- Phishing is a bigger threat than schools realize: Only 27% of school districts see phishing as a high risk, but it’s a major way hackers target K-12 schools, putting students, staff, and data in danger.
- Awareness and verification are key: Teach school staff to spot phishing emails and verify suspicious requests by phone or text, not email, to avoid falling for sophisticated attacks.
- Use free tools and resistant MFA: Platforms like Microsoft 365 and Google Workspace have built-in features to catch phishing, and phishing-resistant MFA like PassKeys can block hackers even if they steal credentials.
Phishing is is a major threat to K-12 schools, especially since many don’t have the budget or staff to tackle it head-on. In Lightning Chat Episode 6, John Genter, Chief Information Security Officer at Lightspeed Systems, and Brad White, Principal Applications Security Architect, sat down to talk about K-12 school phishing. With over 30 years of working together in cybersecurity and deep ties to education (John was a school board trustee for 22 years, and Brad comes from a family of teachers) they laid out why phishing is a bigger deal than most schools think and shared practical, low-cost ways to fight it.
Schools Are Bigger Targets of Phishing Than You’d Think
John kicked things off with a surprising fact from a CoSN report: “only 27% of districts identified phishing as a high risk.” That’s a big miss, especially when you consider what the Cybersecurity and Infrastructure Security Agency (CISA) says: “malicious cyber actors are targeting K-12 education organizations across the country with potentially catastrophic impacts on students, their families, teachers, and administrators.” Brad agreed, saying, “K-12 is a relatively soft target for several reasons.” Why? Here’s the breakdown:
- Tight budgets: Schools often can’t afford top-notch cybersecurity tools.
- Small IT teams: Fewer people means it’s harder to stay on top of threats.
- Wrong mindset: A lot of folks think schools aren’t worth targeting, but hackers know they’re an easy mark.
John shared a real-world example: “In just the last few weeks, we’ve seen five compromised accounts at customers trying to phish Lightspeed employees.” Brad explained how these attacks work: “Threat actors are using sophisticated adversary-in-the-middle attacks… stealing both the user’s username and password and their session token, even if they’re using MFA.” These attacks can hit anyone—IT staff, teachers, you name it—and they can sneak past standard multi-factor authentication (MFA) if it’s not built to stop phishing.
Easy, No-Cost Ways to Stay Safe from School Phishing Attempts
John and Brad were clear: you don’t need a big budget to start fighting phishing. Awareness is the first step. Brad put it simply: “The lowest cost thing is just increased awareness. Make sure your users know they are a target of phishing attacks and should take extra caution with unexpected emails.” John had a catchy phrase for this, riffing off Ronald Reagan: “trust but verify,” or better yet, “don’t reply, verify.” Their tips include:
- Double-check weird emails: If an email asks you to do something odd, like click a link, don’t reply to it. Call or text the sender instead. Brad warned, “We’ve seen cases where the threat actors have control of the sender’s email inbox.”
- Get everyone on board: From principals to custodians, make sure all staff know they could be targeted and what phishing looks like.
Tech Tricks to Lock Things Down
On the tech side, they pushed for phishing-resistant MFA. Brad said common MFA methods, like texted codes or app notifications, “can be stolen by adversary-in-the-middle attacks.” Instead, go for “FIDO-based tokens, like UVKeys or PassKeys… like Windows Hello.” John added, “Even basic MFA is better than nothing,” but the phishing-resistant kind is a game-changer. They also pointed to free tools in platforms like Microsoft 365 or Google Workspace:
- Keep an eye on logs: Check for strange email rules, like messages being marked as read and moved to hidden folders, or logins from odd places.
- Stay sharp for sneaky attacks: Brad noted, “They’ll observe a user’s behavior once they gain access… and get a machine nearby,” making it tough to spot unauthorized logins.
Limiting Phishing Damage with Least Privilege
Another big idea was limiting access to reduce damage if someone gets hacked. Brad said, “Don’t just automatically give them access to everything. Give them access to what they need.” John compared it to a submarine: “If you have a breach in one part… it doesn’t sink the whole submarine.” Here’s how to do it:
- Give just enough access: In Office 365 or Google Workspace, only let staff use the tools they need, like email or Word, not SharePoint or Teams.
- Tweak as you go: If someone’s job changes, update their access to keep things secure without slowing them down.
Short, Frequent Training Beats Long Lectures
Forget hour-long training sessions once a year. John and Brad said short, regular reminders work better. John shared how Lightspeed does a “tip of the week” in their newsletter, and Brad liked the idea of “shorter, more regular communication” to keep everyone alert. They suggested:
- Weekly updates: Send quick emails with real examples, like “here’s what’s happening out there now… here are some links of other K-12 organizations got compromised.”
- Make reporting easy: Encourage staff to flag weird emails fast, no judgment.
Wrapping Up: Stay Alert About Phishing
Brad’s final word was blunt: “Make sure your users are aware that they’re targets of phishing. They certainly are targets of phishing, guaranteed, 100%.” He pushed for using passkeys, which work on most devices, for non-student accounts. John suggested checking out the CoSN report and CISA’s website for more advice.
Phishing isn’t just a problem for big companies—it’s hitting schools hard. By spreading awareness, using phishing-resistant MFA, and tapping into free tools, schools can cut their risks a ton. As John and Brad showed in Lightning Chat Episode 6, a few smart, low-cost moves can protect students, staff, and data. Watch the full episode and stay vigilant!
