Think. Check. Check again. – How to protect your school from email scams
Andrew Williams, UK Safer Internet Centre and SWGfL Online Safety Consultant, gives advice on how to keep your school safe from email scams.
1 in 5 British schools and colleges experienced a cyber-attack, with 50% of those being targeted by a phishing scam according to research last year. For those attacked, the loss of data (82%) and the costs involved in putting things right (47%) were the two greatest concerns.
Online scams continue to target schools and other educational establishments on a regular basis. According to 2018 statistics from Symantec, phishing accounts for 5.8% of global email up 2.4% from the previous year. Proofpoint report that in the first half of 2018, the volume of phishing attacks increased by 36%. With 20% of employees clicking on the links in simulated attacks, the risks to corporate and personal security are all too clear. Loss of personal information or your hard-earned cash, either way the consequences can be damaging.
In January 2019, SWGfL received a raft of phishing emails forwarded from many schools. These indicate that those establishments involved have already been attacked and successfully penetrated. And they’re not alone…earlier this year parents at a large grammar school in the North East of England received scam emails offering a 25% discount on fees if they paid in Bitcoin. Fortunately, the school was quick to act and prevented any financial loss.
Scammers are getting more sophisticated, acquiring large amounts of information from different sources – legal and illegal, public and private – which enables them to produce more believable and personalised content. The problem is…which emails are real and which are scams? Answering this is a challenge, but what it really comes down to is:
Don’t believe everything you read online.
It’s a great line, but what does that mean?
Let’s distil this down into 5 key tips:
1. Be wary of links or buttons in emails…
Hover over them (or lightly press on mobile): is the link pointing to where you expect, or somewhere else? If it’s not a URL of the company, don’t go to it.
2. Check with the sender…
If it’s a genuine email, no company, or individual, will mind if you give them a call, or drop an email back (to an email address you have/know or found yourself online – hitting reply may not help).
3. Keep your personal details private…
Banks won’t ask for passwords. Think and check twice before entering personal details/passwords or other content on any website.
4. Email addresses can be faked…
That trusted friend’s email address in the ‘from’ field…might not be real. Just because it says it’s from them, doesn’t mean it actually is.
5. Spelling…
Yes, even in today’s world of spell-checkers there may still be errors, sometimes these are intentional – to avoid filters, other times lack of care, or something else. Either way it’s a good sign it’s fake.
Phishing is one way to get at your stuff and money, but what happens when the email includes something that’s true about you? That’s ‘spear-phishing’: the email includes a piece of personal information about you, that lures you into believing or trusting the email. For example, the email says “I know what your password is” and one of your passwords is in the email. This line was used in a‘sextortion’ scam in 2017 and led to hundreds of users believing that images of them had been covertly captured. Some paid the ‘fee’, for others the resulting increase in anxiety was damaging enough. It’s unlikely that the scammers did actually have the information they claimed to have; they probably got the password from a previously breached website – lists are available online for very little cost. But including this increases the believability of the email leading to an increased likelihood of success for the scammers.
So, being highly critical and carefully checking before clicking on links is imperative. In today’s fast-paced world, the scammers are relying on your haste to allow them into your data. Don’t forget that it’s not just your data that you have, but that of your learners and others. Keeping control of this data is a central requirement of the General Data Protection Regulation, but you knew that anyway, didn’t you?!
Don’t forget that you’re not alone, people have fallen for scams for a very long time. But in today’s world, that momentary poor decision can result in a whole heap of hassle. Ask any information security professional or IT technician and they’ll have a case to share. You’re the last line of defence: don’t let yourself, or your establishment down.
Think. Check. Check again.
Originally posted in the SWGfL Magazine.