6 Cyber Threats for the New School Year

Cybercrime constantly evolves. If staying one step ahead of hackers is stretching your resources thin, you’re not alone. The Fund is here to support you. Here are six cyber threats you need to protect against this school year.

1. Business Email Compromise/Fraudulent Instruction

Business email compromise happens when highly sophisticated emails are crafted to appear to come from legitimate companies or third-party vendors affiliated with a school district. These emails may request sensitive information such as tax forms or Social Security numbers.

Fraudulent instruction is the transfer of funds by an employee to a third party as a result of deceptive information provided by a criminal claiming to be someone else, typically a vendor, client, or authorized employee.

These attacks are usually preceded by significant observation and research that allow cybercriminals to pretend to be legitimate business partners.

In some cases, hackers even infiltrate a company and send a “legitimate” email from within a partner organization. We have seen a significant increase in these attacks directed at the education sector.

This summer, a Connecticut school district made six payments totaling $6 million to cybercriminals posing as the district COO. Millions of dollars have been similarly stolen from Texas districts.

Download this cheat sheet to help your finance professionals fight cybercrime.

Important Fraudulent Instruction Requirement for Members

The Fund Data Privacy and Information Security Coverage Agreement requires members to independently authenticate payment-related instruction. Read Part C § 4.29 (A) of your agreement and make sure you understand the terms. If you don't COMPLETE the independent authentication process, we might be unable to cover your claim.

What Else Can You Do?

• Begin using a system of checks and balances so no single employee has the authority to change third-party financial information such as routing and account numbers without secondary authorization.
• Train your staff on common social engineering tactics such as spoofing, phishing, and spamming.
• Implement a policy that requires confirmation by a different method when vendors, contractors, or other external partners request a change in financial information. For example, if a contractor requests a routing number change in an email, make a phone call to an established point of contact to confirm the request is legitimate.
• Encourage staff, especially accounting staff, to think twice, then three times before complying with potentially suspicious financial requests.

2. MaaS/RaaS/Saas

Many organizations have incorporated software as a service into their network infrastructure. Software as a service enables easy updates and configuration of cloud-based software into local network environments. Malicious actors have mirrored this model and now offer dark web-based ransomware as a service (RaaS) and malware as a service (MaaS). 

In a related scam called SaaS ("swatting as a service"), students access the dark web and are hire malicious actors to phone in bomb threats or active shooter alerts to districts. In some cases, the goal is to avoid an exam. In other cases, students direct criminals to attribute the threat to a perceived enemy such as a peer. This cyberscam is growing quickly.

What Can You Do?

• Educate your staff about possible false alerts.
• Incorporate disciplinary actions into your acceptable use policy.
• Inform students about the repercussions.
• Offer tech-savvy students other avenues to use their skills. Examples include local cybersecurity teams, CyberPatriot, and Certified Ethical Hacker training.
• Work with local law enforcement to verify legitimacy of phoned-in threats.

3. Back-to-School Ransomware

Hackers prefer to hit early in the morning or late in the afternoon, especially Monday morning and Friday around quitting time. They hope employees will be focused on work opening/closing tasks, not quite awake, or distracted enough to mistakenly click a bad link or open a malicious file. This holds true in early fall, as employees attend to the details of a new school year. 

In March, Minneapolis Public Schools refused to pay a $1 million ransom to cybercriminals who locked down their network. The criminals responded by dumping 300,000 stolen files, including student medical records and discrimination complaints, onto the dark web.

What Can You Do?

1. Build strong relationships with your FBI field office and regional CISA cybersecurity advisor.
2. Maintain offline data backups.
3. Ensure all backups are encrypted.
4. Review vendor security.
5. Monitor external remote connections.
6. Develop and implement a recovery plan.

4. Cryptojacking

Cryptojacking occurs when hackers infect your system with malicious software, or malware, that mines digital currencies (cryptocurrencies) like Bitcoin and Ethereum. It takes a huge amount of processing and memory bandwidth to create these currencies, so hackers try to use your network resources to do the work for them.

Cryptojacking is a serious network security issue for two main reasons:

1. According to global cybersecurity company Kaspersky, cryptojacking can slow your entire system (servers, mobile devices, Internet of Things devices) by up to 70%. The drop system in performance does more than drain productivity. In some cases, infected mobile devices have overheated and caught on fire.
2. The malicious software that mines cryptocurrency also communicates back to the hackers, leaving a gaping hole in your network. Hackers can exploit the  opening by installing other malicious software. They could also order the existing malware to steal sensitive information or execute other commands.  

What Can You Do?

Kaspersky experts recommend these best practices for protecting your system against cryptojacking:

• Watch for unexpected system slowdowns. If Web browsing or email slows significantly, your system might be infected.
• Take note of mobile devices and laptops heating up and remaining hot.
• Have your IT team scan your network logs. They might notice suspicious outbound communication related to cryptojacking.
• As always, educate your team on safe browsing and email use, and keep firewalls and anti-virus systems up to date. Routine security patches and updates include defenses against new cryptojacking malware signatures.

Watch our on-demand webinar for a deep dive into cryptojacking and other malware targeting schools.

5. Grade Hacking

Grade hacking is the act of modifying official grades using digital methods. We have seen isolated instances of students changing grades by accessing staff computer terminals that had administrative privileges or grading system access. However, it appears grade hacking is becoming a systematic and ongoing threat.

Kaspersky discovered an internet marketplace full of services offering “grade hacking for hire” as well as a list of bugs in the most commonly used school information systems.

What Can You Do?

Kaspersky offers these prevention strategies:

• Introduce multiple forms of user authentication for information systems, especially for Web-based systems that might provide access to student records, grades, and assessments. Set strong and appropriate access controls so it’s not easy for a hacker to move through the system.
• Enforce a policy that requires network users to create strong passwords and frequently change them.
• Provide security awareness training for staff.
• Encourage everyone to keep their login credentials confidential.
• Maintain separate and secure wireless networks—one for staff, one for students, and another for visitors if you need it.
• Use a reliable security solution for comprehensive protection.

6. Unpatched Servers

In July 2021, Microsoft discovered a vulnerability in the print spooler service on the Windows operating system. The print spooler is an executable file that manages the process every time you send a document for printing.

The vulnerability, known as “Print Nightmare,” allowed malicious actors to install programs, modify data, and create new accounts with full administrative rights.

Microsoft rolled out security patches for all Windows Server versions, Windows 10, and surprisingly, even the discontinued Windows 7. This vulnerability was widely publicized, meaning that hackers worldwide knew about it as soon as your IT team did.

Organizations that don’t run updates and patches remain wide open to malware and other malicious attacks.

What Can You Do?

• Speak with your IT team regularly regarding your patching and updating protocols.
• Ensure that routine backups are run and that the backup system is functioning properly.
• Confirm with your IT team that the Microsoft Windows file-sharing protocol, known as Server Message Block 1, is patched or upgraded to versions 2 or 3 on your system.

Editor's note: This article was originally published in August 2019. It has since been updated for accuracy and comprehensiveness.