What if one email cost you $1.5 million?

How Salem-Keizer School District faces the rising tide of phishing attacks

The email itself was unremarkable. It arrived on a weekday in June, addressed to the accounts payable department of the Salem-Keizer School District. It came from a company working on school construction lets call them Acme Construction with a simple request: would they mind updating the direct deposit with the following information?

This email wasnt from Acme Construction. It was from hackers who had done their homework. Theyd registered the domain of the company as acmeconstruction.us instead of acmeconstruction.com. They replicated the companys website, in entirety, on their new domain. They even knew, through snooping, that this employee used a shortened version of their name, and addressed them as such.

But after years of training, the employee was prepared, and promptly forwarded the email to Bob Silva and, in doing so, saved the district from losing $1.5 million dollars.

Silva, who has served as the director of technology and information services for SKSD since 2015, credits constant staff security trainings supplemented by a healthy dose of fear but still stays up at night, worried that this wont be enough.

“The bad guys only have to win once, but we have to win every time.”

Across the U.S., hackers are increasingly targeting educational institutions in addition to corporate and government targets. Theyve found victims who are, in many cases, woefully unguarded, and in a case exactly mimicking the above scam, stole $1.9 million from a university that could not be recovered.

Attacks against schools are on the rise in both scope and severity. In late July, Louisiana Gov. John Bel Edwards declared a statewide emergency after malware attacks disabled three school districts and seemed poised to spread to other government agencies. It was a sufficient threat that the Louisiana National Guard, Louisiana State Police, the states Office of Technology Services and Louisiana State University, among others, joined in the fight.

While its not just schools that can fall victim Facebook and Google lost a combined $500 million to similar direct-deposit scams SecurityScorecards 2018 Education Cybersecurity Report notes that out of the 17 major industries in the U.S., education comes in last place for overall security.

A phishing email that was sent to Salem-Keizer employees, which perfectly mimicked an email from CIO Bob Silva.

The threat arrives on multiple fronts: the proliferation of software and devices in the classroom leave schools with weak points, while overtaxed IT departments dont upgrade rapidly or regularly. Adding to the complications are questions of FERPA (Family Educational Rights and Privacy Act) compliance, which can limit options and demand even more from IT.

Then, of course, there is the biggest vulnerability of all each and every employee (and, sometimes, parent and student) properly evaluating each and every email they receive.

The bad guys only have to win once, but we have to win every time, said Erich Kron, a KnowBe4 cybersecurity evangelist. He entered the field in the 1990s, eventually becoming the security manager at the 2nd Regional Cyber Center for the Army.

Phishers target and scam in constantly evolving ways. But, Kron noted, like con artists and grifters since time immemorial, they succeed by playing to human psychological vulnerabilities.

If you get an email, or a phone call, or a text message that elicits an emotional response, be very cautious with it, Kron said. They use emotions to get (you) to bypass critical thinking they use anger, they use fear, they use urgency.

“The creative ones will start impersonating parents.
Theyre just getting smarter.”

A perfect example, he said, is a message that looks as though it comes from a boss demanding immediate action which people too often take. In fact, one phishing scheme targeting SKSD looked like it had come from Silva himself, asking employees to open and read a Google Doc.

That stress and urgency cause people to act fast.

Of those people who click (on an unsafe link in an email), 55 percent do it within an hour, Kron said.

On the other hand, Silva said, he uses those same emotions to reinforce the need for constant vigilance.

When asked whether he has trouble instilling the right amount of fear in employees, he laughed.

Its easy to give them the proper level of fear, and Im good at that, he said. I tie it to their personal lives rather than the effect at work. Its not a knock against them. Theyve got a lot of other stuff to worry about. Theyve got 30 kids in the classroom and 60 parents. But you start talking about their bank account and their kids? They start listening.

After the simulated phishing attack KnowBe4 alerts administration and staff to vulnerabilities, then offers ongoing training.

As part of staff awareness efforts, Silva has partnered with KnowBe4, who specializes in launching simulated phishing attacks against organizations. These simulated attacks help identify vulnerable groups or individuals then offers extensive employee trainings.

After we do a simulated phishing attack, we analyze the results and, based on who became a victim, we report back to all-staff in what we call a Phish Tank episode.

Still, Silva said, cybersecurity is a mountainous task for the district. He estimates they get 50 unique which means thousands, total, as each goes out to so many phishing attacks per day. He has a team of four to work on this, and estimated that it takes the equivalent of one full-time employee.

During each KnowBe4 campaign, he said, all student records have been compromised.

Not just the current students students going back ten years, he said, adding that $148 is the industry-standard cost per lost record.

So youre talking about 300,000 records at $148 per record thats $44.4 million, he said, adding that there is also the potential for legal consequences.

Theres nothing that would prevent the federal government from investigating a school after a data breach, finding them negligent and charging a fine.

The problem is not going to get better, he said, and is instead getting actively worse. He noted that a 12-character password that might have taken a quintillion years to crack a few years ago now takes three years.

That changes the standard, because thats for one password you put a network of computers together, and youre down to weeks and months.

This, he said, is combined with increasingly clever techniques.

The creative ones will start impersonating parents. Theyre just getting smarter, he said. Theres two things theyre after our student information systems and our money. Right now, theyre generally after the money.

That may soon change, he said, especially when considering the depth of info schools now gather on their students.

They havent figured out the value of our student info yet, he said. As soon as hackers find out how easy it is to get a bunch of fresh, clean identities school districts across Oregon, across the United States, who have kept their heads in the sand are hosed. Theres nothing theyre going to be able to do to prevent the breach.

Kelly Williams Brown

Education pricing for KnowBe4 is available through 天胆A頭

Past Spotlight Posts

Equity by the Numbers: Newberg schools dive deep on data with surprising results