A Texas school district fell victim to an email phishing scam, costing the district $2.3 million.
Phishing emails were sent to the Manor Independent School District (ISD) in November, leading to three separate transactions, reports ZDNet. Phishing is the practice of sending fraudulent emails or making fraudulent calls in an attempt to convince someone to hand over sensitive information or pay a fake invoice.
The content of the emails and who made the payments is not yet known. An employee discovered the scheme a month later, leading to the involvement of the FBI and the Manor Police Department. A press release from the district said the investigation is ongoing and there are “strong leads.”
“This is money taken away from the kids, and the school district’s funds, taxpayer money. Unfortunately, stuff like this happens all the time, it’s just usually not to this magnitude,” said Manor Police Sergeant Craig Struble. “They could use a similar email from somebody you know and trust, they learn information that way, maybe change a word or two so you respond with information. It could be a domain.”
Manor ISD is hardly the first district to fall victim to cybercrime, although phishing scams are less common than other types of cyberattacks. In 2018, Crowley Independent School District near Dallas lost nearly $2 million as a result of an email phishing scam. In April 2019, Scott County Schools in Georgetown, Ky., lost $3.7 million.
A report from the K-12 Cybersecurity Resource Center found there were 122 publicly disclosed cyberattacks at 119 K-12 public education institutions in 2018, averaging out to an attack every three days. Of those attacks, 15.57% were phishing scams (approximately 20). Below is a breakdown from the report of the types of cyberattacks schools experienced in 2018.
Report author Doug Levin maintains an interactive map of publicly disclosed K-12 cybersecurity incidents. Since 2016, there have been over 700 incidents, according to the map. Levin estimates as many as 10 to 20 times more undisclosed breaches occurred in 2018 within the education sector.
According to the Federal Trade Commission (FTC), phishing emails or text messages may:
- Say they’ve noticed suspicious activity or log-in attempts
- Claim there’s a problem with your account or your payment information
- Say you must confirm personal information
- Include a fake invoice
- Ask you to click on a link to make a payment
- Say you’re eligible to register for a government refund
- Offer a coupon for free items
For more information on how to recognize and avoid phishing scams, visit the FTC’s website.