How does your school’s report card rate for defence against phishing attacks?

#1 Phishing risk is staff, student or parent complacency

Read the article

Share this story

Read Time: 5 minutes

With the frenetic levels of white noise on social media and in the news about phishing attacks, cyber security and data breaches, it’s easy to slip into the mindset that IT security vendors are scaremongering, or take the view that “it won’t happen to our school – our users are too savvy to click on dubious links or attachments”.

While some of those assumptions may not be entirely incorrect, at the same time taking a complacent attitude to the threats of phishing attacks in the current digital environment is risking negligence. And it’s not just users that can be phished – it’s happening to parents too.

The financial and reputational damage to schools can be significant, and given the range of solutions available to guard against attacks, there really is no excuse for not getting a good report for your security defences. In this and a series of other similar articles on email security and phishing attacks, we’re looking more closely at the human factors involved in the attacks – and the inherent vulnerabilities this brings to schools’ cyber defences.

In this first article, we focus on the danger of complacency, and real-world scenarios in which the best laid IT policies and training can easily fail an exam!

Our school is well prepared – what risks could there be?

Although many schools now have sound policies, IT charters, formal staff training and awareness programmes, processes in place for reporting and managing security breaches (or suspected breaches), and largely and increasingly tech-savvy staff, there are still risks.

The first of these risks is the ever-increasing quality of phishing emails and the human factors that entails.

It’s always someone else that gets phished…. right?


An IT teacher, an extremely tech-savvy professional with over 20 years working with and in IT, came extremely close to clicking a link in what turned out to be a phishing email notification that appeared to be from SharePoint. It appeared to be so genuine that the only thing that prevented a click-through and the consequences that could have ensued was the fact that he knew that his colleague was on sick leave, and was not at work.

This begs the question, if he did not know that the supposed sender was on holiday, he could have clicked it. The school doesn’t have additional security layers on its email system, just the standard features included in Microsoft 365 (more on that in a later article).

So however clued up you think your users are, IT teams should be wary of sitting pretty and thinking that everyone has been through the training, signed up to the IT charter, and knows where to report things. That is all great practice – but a safety net is also needed. And all this is without taking parents, and the scams that can hit them into account.

IT teams should be wary of sitting pretty and thinking that everyone has been through the training, signed up to the IT charter, and knows where to report things.
Top marks – or resitting the exam?

The situation outlined happened to the tech-savvy IT manager, but it could equally have happened to any member of staff or parent of the school. The email could have been “from” a colleague that wasn’t on sick leave, and therefore the red flag wasn’t raised and someone could have clicked the link in good faith.

The quality of phishing emails are sadly getting better and better, and they could range from anyone from the headmaster with an internal memo to the accounts department to all the school’s parents with a malware-infested invoice attachment.

The question to ask is whether these scenarios or outlandish or fanciful – and you don’t need to take our word for it. A quick Google search of phishing attacks on private schools in the UK can be pretty eye-opening. If you still think it is fanciful, we challenge you to take our 2-minute test to find out how good your email security actually is – not how good you think it is. Being complacent about this could mean your school quickly finds itself at the bottom of the class!

Take the 2 minute Email Security Test

Phishing is obviously a hot topic at the moment, so there’s plenty of further reading on MYREDFORT. Over the coming weeks in this series of articles on the theme of the human factors of phishing attacks, we’ll be examining how staff can become targets as a result of databases being breached, the risks of relying solely on Microsoft 365 security, emerging trends in phishing, and a “how-to of hackers”, so stay tuned.

For now, this article in particular outlines 4 steps to safer emails.

Rate the Article

Click the link below to rate this article

Rate this article
Have you also seen...
Test your Email Security Now

This tool tests if your email server is correctly configured to stop common threats.

Learn more
Remote working ‘Must Have' Technologies

90 days no cost, no commitment, no fuss technology deals for remote working quick wins

Learn more
Forrester predictions 2023

Get your free Predictions 2023 Guide.

Learn more
Bright Security - Web Application Security: Top Threats and 6 Defensive Methods

Top Threats and 6 Defensive Methods

Learn more
Teams: the one-stop IT app

The one-stop IT app

Learn more

Mitigating risk from endpoint apps

Learn more
About Libraesva

An email content gateway solution ESVA – Email Security Virtual Appliance – won the Computing Security Award as ‘Antispam of the Year’ solution 2014-2016

It was recognised by the prestigious Virus Bulletin as one of the best and effective systems of protection and analysis of email content, Libra ESVA was selected by Securefort to address email security in the SMB sector.

Learn more
You can’t protect what you can't see!

30 days no cost, no commitment, no fuss technology deals for remote working quick wins:

Learn more

We're a community where IT security buyers can engage on their own terms.

We help you to better understand the security challenges associated with digital business and how to address them, so your company remains safe and secure.

Other articles in this category
Interested in what you see? Get in touch, and let's start a conversation Get in touch