6 Cyber Threats for the 2024-25 School Year

Cybercrime constantly evolves. If staying one step ahead of hackers is stretching your resources thin, you’re not alone. The Fund is here to support you. Here are six cyber threats you need to protect against this school year. 

1. Artificial Intelligence (AI) 

School employees may use AI-powered tools for a variety of tasks: creating lesson plans, automating administrative duties, anticipating and addressing equipment failures. Cybercriminals use the same technology to do their jobs better, too. And educators are on alert. 

In a May 2024 report from the Consortium for School Networking: 

• 63% of district tech leaders feared cybercriminals would harness AI to launch increasingly complex cyberattacks. 
• 49% were concerned teachers lacked the training to navigate AI integration into instruction and student use of AI for composition. 
• Other concerns included new methods of cyberbullying via deepfakes, the intentional spread of misinformation, and threats to student data privacy. 

What You Can Do 

1. If your school board has already adopted an AI policy, familiarize yourself and adhere to it. If your organization hasn't adopted a policy, reach out to your TASB policy consultant for assistance with language to address AI in your local policies and administrative regulations. 
2. Include AI guidelines in your local acceptable use policy (AUP). These guidelines should address how staff and students are permitted to use AI in teaching and completing assignments 
3. Address disciplinary actions for cyberbullying and spreading misinformation in your AI policy. 
4. Ensure that patches and updates to your firewalls, operating systems, software platforms, and other security appliances are installed promptly. 
5. Educate your staff on AI-driven social engineering techniques. Remember that video and audio impersonation are getting more sophisticated. 

2. Business Email Compromise/Fraudulent Instruction 

Business email compromise happens when highly sophisticated emails appear to come from legitimate companies or third-party vendors. These emails may request sensitive information such as tax forms or Social Security numbers. Similarly, fraudulent instruction is the transfer of funds by an employee to a third party as a result of deceptive information provided by a criminal claiming to be someone else, typically a vendor, client, or authorized employee. 

These attacks are usually preceded by significant observation and research that allow cybercriminals to pretend to be legitimate business partners. In some cases, hackers even infiltrate a company and send a “legitimate” email from within a partner organization. We have seen a significant increase in these attacks directed at the education sector. 

A Connecticut school district made six payments totaling $6 million to cybercriminals posing as the district COO. Millions of dollars have been similarly stolen from Texas districts. 

Fraudulent Instruction Requirement for Fund Members 

The Fund Data Privacy and Information Security Coverage Agreement requires members to authenticate a payment-related instruction independently from the received communication. Read Part C § 4.29 of your agreement and make sure you understand the terms. If you don't authenticate the instruction as indicated under § 4.29 (A), coverage likely will not apply. Do not rely upon information within the payment request when contacting third parties for authentication purposes, and always verify contact information changes that occur during your relationships with third parties. 

What You Can Do 

1. Begin using a system of checks and balances so no single employee has the authority to change third-party financial information such as routing and account numbers without secondary authorization. 
2. Implement a policy that requires confirmation by a different method when vendors, contractors, or other external partners request a change in financial information. For example, if a contractor requests a routing number change in an email, call an established point of contact to confirm the request is legitimate. Do not change financial information until the established point of contact confirms the request is legitimate. 
3. Train your staff on common social engineering tactics such as spoofing, phishing, and spamming. 
4. Encourage staff, especially accounting staff, to think twice, then three times before complying with potentially suspicious financial requests. 

3. Back-to-School Ransomware 

Hackers prefer to hit early in the morning or late in the afternoon, especially Monday morning and Friday around quitting time. They hope employees will be focused on work opening/closing tasks, not quite awake, or distracted enough to mistakenly click a bad link or open a malicious file. This holds true in early fall, as employees attend to the details of a new school year.  

In March 2023, Minneapolis Public Schools refused to pay a $1 million ransom to cybercriminals who locked down their network. The criminals responded by dumping 300,000 stolen files, including student medical records and discrimination complaints, onto the dark web. 

What You Can Do 

1. Build strong relationships with your FBI field office and regional CISA cybersecurity advisor. 
2. Maintain offline data backups. 
3. Ensure all backups are encrypted. 
4. Review vendor security. 
5. Monitor external remote connections. 
6. Develop and implement a recovery plan. 

4.Multi Factor Authentication (MFA)

Multi factor authentication has been a long-standing recommendation for improving network security. Often, attempts to implement MFA meet resistance from users who have password fatigue and are not excited about incorporating another login or form of verification into their daily routine. However, Microsoft has stated that organizations that employ MFA are 99% less likely to suffer a successful cyber attack than organizations that do not.

Case Study 

In December of 2024, a hacker gained access to a ‘maintenance account’ within the PowerSchool network. PowerSchool provides a well-known student information system (SIS) to school districts across the country. This system contains information like names, birthdays, social security numbers, and parent/guardian information. The compromised account had not employed multi factor authentication and as a result, the information of roughly 62 million students was compromised.

What You Can Do 

1. MFA is easily accessible at low, or no, cost. Depending on your operating system or software platform, you likely already have access to MFA solutions, they simply need to be configured.
2. If your system doesn’t already include an MFA option, there are resources at the federal and state level to assist you in implementing this critical safeguard.
3. If you need assistance with configuration of your existing utilities, or access to governmental resources available to you, reach out to the fund for more help!

5. MaaS/RaaS/SaaS 

Many organizations use software as a service to easily update and configure cloud-based software into local network environments. Malicious actors have mirrored this model to offer dark web-based ransomware as a service (RaaS) and malware as a service (MaaS).  

In a related scam called SaaS ("swatting as a service"), students access the dark web and hire malicious actors to phone in bomb threats or active shooter alerts to districts. In some cases, the goal is to avoid an exam. In other cases, students direct criminals to attribute the threat to a perceived enemy such as a peer. This cyberscam is growing quickly. 

What You Can Do 

• Educate your staff about possible false alerts. 
• Incorporate disciplinary actions into your acceptable use policy. 
• Inform students about the repercussions. 
• Offer tech-savvy students other avenues to use their skills. Examples include local cybersecurity teams, CyberPatriot, and Certified Ethical Hacker training. 
• Work with local law enforcement to verify whether phoned-in threats are legitimate. 

6. Unpatched Servers 

Software companies release patches to address security gaps in their products. Unpatched servers leave networks vulnerable to cyberattacks such as LockBit 3.0, which was responsible for an increase in ransomware attacks against schools in 2023.  

What You Can Do 

• Speak with your IT team regularly regarding your patching and updating protocols. 
• Ensure that routine data backups are run and that the backup system works properly. 
• Confirm with your IT team that the Microsoft Windows file-sharing protocol, known as Server Message Block 1, is patched or upgraded to versions 2 or 3 on your system. 

Editor's note: This article was originally published in August 2019. It has since been updated for accuracy and comprehensiveness.