Cybercriminals are getting savvy with their phishing emails and hiding malicious downloads. Every school is vulnerable to attacks from every individual email account on your network. We asked cybersecurity experts for best practices and warning signs for both students and staff to look for to avoiding phishing, ransomware, and malicious downloads.
Always use multi-factor authentication
Timothy Robinson, CEO and Cybersecurity Expert, InVPN
Being a cybersecurity expert, there are many tools and techniques schools can use in addition to security awareness training to avoid cyber incidents.
Phishing can be prevented by allowing multi-factor authentication (MFA) for all school facilities, including teacher and student email accounts and any other program that stores confidential information. It’s also never too early for students to learn how to apply this method to their online lives outside of school.
With the volume of data brought in by remote learning, educational institutions can back up their systems on a regular basis and store backups in an ‘offsite’ spot. Offsite can be described as a location that is not linked to the main network, making it much more difficult for a criminal hacker to delete or encrypt backups.
Read tips from the Federal Trade Commission, FBI, and PBS
Aliza Vigderman, Senior Content Manager, Security.org
Here are some clues that an email is potentially phishing, according to the Federal Trade Commission:
- The email looks like it’s from a company you’re familiar with, whether that’s a social media site, a bank, a credit card company, etc.
- The email tries to get you to click on an attachment or link, saying something like there’s a problem with your account, you have to confirm personal information, or you’re eligible for a coupon.
- The email has a generic greeting that doesn’t use your name.
The easiest way for employees, staff, and teachers to avoid phishing, ransomware, and downloads in their professional communications is to download antivirus software on all of their work-related devices. Antivirus software scans for phishing, ransomware, and other types of malware, quarantining malicious software if it finds it so that it can’t affect the rest of the device.
As soon as students are granted access to school-provided email accounts is also when schools should start teaching students about phishing, ransomware, and malware. Being able to recognize phishing emails is essential for safe internet usage. There are a number of user-friendly digital security resources for kids that can teach them the basics of malware and cyber-attacks from organizations like PBS and the FBI.
Creating a cyber threat team and response before there’s ever an incident is key
Sidra Ijaz, Research Analyst, InvoZone
There are many clues that an email is phishing. These emails are designed in a way that the victims respond and click on the links immediately. The content of such emails is specially designed to manipulate the emotions of the victims. For example, sometimes they have a sense of fear in them.
These are a few patterns in a phishing attack:
- Such emails manipulate victims emotionally.
- They have a sense of urgency.
- Links look suspicious. The best way to identify phishing links is by using secure phishing detection services such as Google Transparency Report.
- There may be spelling and grammatical errors.
Awareness is the key. The major source of ransomware attacks is phishing emails. For example, unaware employees can unknowingly assist in ransomware attacks by downloading malware through phishing emails. Awareness training of all the staff, teachers, and students can significantly reduce the impact of phishing and ransomware.
We have to change our cyber defense mindset from ‘incident response’ to ‘continuous response’. We have to adopt proactive cybersecurity measures against evolving ransomware attacks. These include offensive cybersecurity measures (such as ethical hacking and pen-testing), and cybersecurity drills. You can check the level of awareness and security culture in a school by launching a mock phishing attack.
Ransomware and phishing attack mitigation requires swift measures from incident response teams. Data protection and backup, forensic analysis, and disaster recovery plans are key to reduce the impact of the attack. School administration should work on developing a cybersecurity team.
As soon as students start using computers/smart devices is when schools should be teaching cybersecurity training to them. Students should be aware of the cyber threat landscape.
Read every sentence, review the sender’s email address, and look for spelling errors
Tom Kirkham, Founder and CEO, IronTech Security
Here are some tips on how to spot a phishing email on your own:
- Is it coming from a public email domain or a private email domain? It shouldn’t be coming from an email address with a public email domain. For example, you’re not going to get an email from someone at our company that says [email protected] It’s going to be from an email address such as [email protected] Make sure to look at the email address before you do anything else.
- Are there spelling errors in the email address? Read the email and check for spelling errors. Check the sender’s email address for spelling errors. It will be an error that will be hard to spot and it looks correct at first glance. This happens pretty often because cybercriminals think you won’t be cautious enough to check the spelling. For example, they might spell Amazon like Arnazon. (They would change the m to an r and n to make it look like an m.)
- Is the content grammatically correct or is it poorly written in general? If you get an email and it’s full of grammatical errors and not well written, that’s a sign it’s a scam. Actual companies/organizations aren’t going to make this mistake.
- Is there an attachment or link in the email that you weren’t expecting? Hover your mouse over any unsure link or attachment. If the link isn’t what you are expecting, it’s possibly malicious. It’s better to be safe than sorry, so if you’re unsure about opening a link or attachment, ere on the side of caution and don’t open it.
- Does the email sound strangely urgent? Some examples of this are when the email says they need money now or they need you to give them information ASAP. This isn’t realistic and can easily be debunked. They’ll usually pose as your boss, a senior executive at your company, or your bank because they think you are more likely to give these types of people sensitive information.
The best way to educate employees/staff on phishing emails, malware, and ransomware is by implementing a continuous cybersecurity training program. By enrolling your employees/staff in a continuous cybersecurity training program, you’re giving them the knowledge to keep themselves safe from cybercriminals.
When it comes to students, it’s best to educate students about phishing emails, malware, and ransomware as soon as possible. By doing this, you’re giving them the knowledge to avoid these types of attacks. The younger they’re able to recognize these things, the better it will be. Learning about how to stay safe online early on in life will be beneficial as they get older and use technology for college and their careers.
Provide fun, engaging, gamification cybersecurity training for everyone – students, parents, teachers
Andee Harston, Curriculum Manager, Infosec
In this day and age, you must be extra vigilant when it comes to checking your emails for phishing attempts. There are several things you can do to determine if an email is a phishing email:
- Hover (don’t click!) over the sender’s email address and check for any misspelled or suspicious domain names. Double-check the sender’s email address and ensure it matches your expectations.
- Read emails with caution that use words like immediately, cancellation, or notification. This is very likely an indicator that the email is a phishing attempt. Hackers often use psychological tactics to pressure users to respond quickly or out of fear.
- Verify unexpected email attachments before clicking or downloading. Always contact a trusted secondary source to validate if the email is legitimate. This could mean calling a coworker from a phone number in your school/business directory and asking them if they sent an email or reporting the email as SPAM to your IT department.
- Watch for misspelled words, grammatical errors, or strangely constructed sentence structure. A poorly written email may also be (but not always) an indication that it is a phishing attempt.
One of the best ways to inspire secure habits among faculty and staff is through relatable, relevant training that leverages educational best practices like microlearning and gamification. This starts with engaging training that helps faculty and staff understand why bad actors target schools and student data – and what they can do to protect themselves and their students. Where possible, we recommend using real-world examples to help make training real for educators.
You can start by implementing a good cybersecurity education program to educate teachers, employees, and staff to identify malicious emails. Train thoroughly and often, at least quarterly. Teach employees to question all digital correspondence and always, always trust their gut instinct. Then make sure employees know who to report suspicious emails to and how to report them using the school’s incident response call tree or email reporting system.
Recommended topics include password complexity guidelines for home routers/computer assets, timely system patching, and good data privacy practices, including how to share information safely online and how to recognize phishing emails.
It’s all of our responsibility to teach children about the security risks associated with email accounts and internet access. This is no different than teaching kids to look both ways before crossing a street; their safety and welfare depend on their ability to stay safe online.
Additionally, schools should consider an outreach program to parents. A fun monthly or quarterly newsletter, written and researched by students, helps educate parents and students simultaneously.
Use the old adage, ‘don’t talk to strangers’
Janis von Bleichert, Founder, EXPERTE.com
Generally speaking, phishing, ransomware, and malicious downloads all have one thing in common: they require the user to ‘get the ball rolling.’ Starting from that point, the best defense against getting infected with such files is to encourage faculty, students, or teachers to do nothing if they think something is ‘fishy’ or ‘too good to be true’.
Should a teacher or student have any doubt whatsoever about an email, a download, or an attachment, they should err on the side of caution. For schools, this can be done similarly to how students are instructed to ‘not talk to strangers’, albeit, in a digital context.
Apart from instilling a very healthy dose of care when opening links or downloading files, it’s also good to show faculty, staff, and students how to set up and use a (qualitative) and free antivirus or anti-malware suite. During our internal review process, Avast, Sophos, and AVG were the three best free suites we tested. Teachers can integrate installing and running virus scans into computer lessons, and show students how to engage real-time protection.
Finally, within browsers, it’s a good idea to introduce students and teachers alike to ad-blocking extensions, since this can also close off a lot of the avenues for an attack that malware can use to establish itself on computers.
While there are a lot of preventative measures for cybersecurity, nothing is 100% guaranteed. If something looks fishy (pun intended), it probably is phishing. Look at every detail of emails, install quality software to scan against attacks, and keep up to date with how hackers and others are scamming people every day.