Don’t Take the Bait: A Texas K‑12 Guide to Phishing & Social Engineering

Phishing is a deceptive message sent by email, text, chat, or phone call designed to trick staff into clicking a malicious link, entering credentials, or sending money. Behind these attacks is social engineering: psychological manipulation that uses urgency, authority, or trust to pressure people into bypassing cybersecurity policies. Teaching staff to recognize suspicious messages, avoid falling for scams, and implement quick, effective defenses is key to preventing costly mistakes.

Why Schools Get Hooked

Cybercriminals target schools because they’re full of busy inboxes, helpful staff, and systems that handle sensitive data and money. Most school-related cyber incidents begin with a convincing message that urges someone to act quickly and click a link, sign in, or transfer funds.

Spot The Phish: The Five Most Common Lures

1. “Urgent—don’t call, just do it.” — Pressure to act fast or keep it secret is a red flag. Stop and verify.
2. “We changed banks—update today.” — Always call a known number before changing vendor or payroll information.
3. “Shared document—sign in to view.” — Hover to preview links; when unsure, report it instead of clicking.

• MFA push bombing — Deny unexpected multifactor authentication prompts and report them immediately. Learn more about MFA push bombing.
• Help desk or leader impersonation — Do not reset passwords or approve wire transfers based on caller ID or email alone.

Bait-Proof Your District

Adopt a district cybersecurity policy, designate a Cybersecurity Coordinator, and report qualifying incidents (login required) to the state within 48 hours. Smaller districts should consider taking advantage of the TEA K‑12 Cybersecurity Initiative to implement budget-friendly endpoint protection and access ESC technical support.

Cast A Stronger Net

A combination of trained staff, strong processes, and tech-powered tools strengthens school cyber defenses against phishing and other cybercrime.

People (All staff • Finance/HR • IT)

• Host 10‑minute micro‑lessons each month (plus a short annual refresher) → Staff report more suspicious messages and click less often.
• Authenticate third-party payment-related instructions independently from the received communication (Finance/HR) → Stops payroll and vendor diversion scams before money moves.
• Click the “Report Phishing” button on any suspicious email → Flags suspicious emails and instantly triggers response processes.

Process (Leaders • Finance/HR • IT)

• Require dual approval for any banking change; post the policy on your intranet → Creates a speed bump for fraud and aligns staff behavior.
• Use help‑desk identity proofing (no password resets from caller ID; require HR‑verified data) → Prevents social‑engineered password resets and takeovers.
• Conduct a 30‑minute tabletop each quarter; rotate scenarios (mailbox takeover, payroll diversion, vendor spoof) → Roles are clear and response time drops during real events.
• Add a “Report Phishing” button to your intranet → Routes issues to the right mailbox and boosts timely reporting.

Technology (IT)

• Join the Multi‑State Information Sharing & Analysis Center and enable Malicious Domain Blocking & Reporting; confirm your Cybersecurity Coordinator → Known‑bad domains are blocked automatically, and responsibilities are clear.
• Enforce Multi‑Factor Authentication for everyone; start email authentication (SPF, DKIM, DMARC) and publish a 1‑page payment‑verification policy → Prevents most account takeovers and reduces payroll/vendor fraud.
• Request TEA‑supported Endpoint Detection & Response (if eligible); verify email/identity log retention → Faster detection and triage when something slips through. Learn more about the TEA K‑12 Cybersecurity Initiative.

Reel It In: Your First-Hour Response

1. Isolate the device (remove from Wi‑Fi/VLAN).
2. Reset the user’s password; revoke tokens/sessions; re‑enroll multi‑factor authentication.
3. Remove malicious inbox rules/forwarding; search and quarantine look‑alike messages system-wide.
4. Open your incident‑response checklist; keep a time‑stamped log of actions and observations.
5. Fund members with Cyber Liability and Security coverage should contact us immediately to report the incident and get coordinated support.
6. If criteria (login required) are met, report the incident to the state within 48 hours (work with your Cybersecurity Coordinator).
7. Alert Finance/HR if money or payroll could be affected.

Important coverage notice: If you suspect an attack, contact the Fund immediately. Do not hire an outside incident‑response company first. Doing so may affect coverage. We’ll help you assess, contain, and coordinate next steps.

Phishing is a People Problem: Tackle it Together

Phishing isn’t just a tech issue; it’s a human issue. The best defense is a proactive team: Pause and verify unexpected requests, use multi-factor authentication, and follow the first-hour response checklist. Fund members with Cyber Liability and Security coverage should report suspected attacks immediately. Together, we can spot the bait, avoid the hook, and keep our schools sailing safely.

Resources

1. Texas Department of Information Resources Incident Reporting
2. Texas Education Agency  K-12 Cybersecurity Initiative
3. Multi-State Information Sharing & Analysis Center (MS-ISAC) Malicious Domain Blocking & Reporting
4. K12 SIX — Essentials and Incident Response Runbook
5. Cybersecurity Infrastructure Security Agency Protecting Our Future Report (K-12 Recommendations)