7 Phishing Awareness And Anti-Phishing Tips For The Education Sector

Seven Anti-Phishing Tips For The Education Sector
Naqiuddin zakaria/Shutterstock.com
Summary: Cybersecurity is in the spotlight, but until new policies and guidelines are in place, the onus is on institutions and their employees to prevent threats. Find out how phishing attacks have hit the education sector. What’s your role in stopping them? Learn more.

Here's How You Can Help Keep Your School Safe

In 2020, 60% of educational institutions experienced phishing attacks. A phishing attack can occur when an email, text message, or another type of communication appears to emanate from a reputable source (a colleague, a business contact) when in fact the correspondence comes from a cybercriminal. The message may ask for a username and password for an account, it may ask for wire transfer information, or it may simply instruct the recipient to click on a link or open an attachment.

Cybercriminals know that executives, admins, teachers, and students are easy targets. Although we wish that it were otherwise, this is uniquely true in the wake of the global coronavirus pandemic, when those within education ecosystems may be distracted, stressed, or exhausted, and hence more prone to clicking on a phishing email.

The Importance Of Phishing Awareness For The Education Sector

Phishing attacks can decimate education-focused groups. Previously, cybercriminals have made off with financial information, biometric data, academic progress reports, behavioral and disciplinary information, medical information, and other pieces of sensitive data. Ultimately, this has led to financial theft, identity fraud, and other forms of unnerving cybercrime. When phishing attacks succeed, the entire educational community of a given school is at risk.

The average school employee handles a tremendous amount of data; whether that’s behavioral information, financial information, or attendance records. The average employee likely handles more than 10,000 emails per year. Given the number of communications and the volume of data whirling across the internet, phishing awareness and phishing protection are key in maintaining a reputable and functional school environment.

What’s Happening 

In early June, the National Cyber Security Centre (NCSC) of the UK warned that cyberattacks in the education sector were rapidly increasing. At the top of their threat vector list? You guessed it—phishing.

A few short weeks later, education policy advocates in the US lobbied for additional cybersecurity funding to improve cybersecurity within public school districts. Federal funding could have a wide reach, protecting millions of individuals and thousands of organizations.

Research and policy represent critical means of combating cyber threats, including phishing. However, when it comes to avoiding phishing attacks, individuals at every level of the education sector have a role to play. From superintendents to administrators to teachers to students, there are core concepts to consider in order to reduce the risk of an institution experiencing a successful phishing attack.

7 Phishing Awareness And Anti-Phishing Tips For The Education Sector

  1. Think before clicking
    Do you know that children’s saying for crossing streets, "Stop, look, and listen"? The saying is oddly applicable to how educators and students may want to think about opening emails from unknown senders. Stop to evaluate the email. Is the salutation kind of strange? Does the URL look phony? Is someone asking for access to a particular account that you use? Look at the email closely. Are you sure that everything looks okay? Listen to your gut. Perhaps you should call the school administration to make sure that they sent you this email, not the impersonator.
  2. Train your students
    Craft a fun and entertaining lesson about phishing. Depending on the age of your students, you might want to explain that it’s an online form of "stranger danger." Also be sure to explain that students should avoid clicking on suspicious links or unexpected, strange-looking attachments. Show them concrete examples of how threat actors commonly doctor emails.
  3. Tell parents
    If you work with K-12 students who may need at-home assistance from parents or guardians while learning online, your organization may want to proactively provide parents with information about how to spot a phishing threat. It takes a village.
  4. Invest in phishing protection tools
    Broadly speaking, 80% of cybersecurity incidents are connected to phishing attacks. Strong anti-phishing technologies, including tools that can auto-update, make phishing avoidance easier. Seek out email security solutions with malware detection capabilities, language processing techniques, and click-through analysis.
  5. Endpoint security
    Sounds like a snooze? Your laptop is an endpoint. Your phone is an endpoint. Your students’ iPads are endpoints. Cyber attackers may attempt to either directly or indirectly use phishing attacks to target endpoints. Endpoint-focused cybersecurity solutions can swiftly spot and remediate malware issues that traditional email/phishing defense may fail to detect.
  6. Firewall security
    Are you a fan of medieval history? Yes, the flame throwers once defended the castle with physical firewalls. In the modern era, digital firewalls can help defend your virtual campus.
  7.  Cybersecurity expertise
    Ensure that your institution or organization works with IT administrators who have expertise in cybersecurity. A skeleton IT staff with limited cybersecurity knowledge may not be enough. Consider opening new cybersecurity roles, such as some public sector groups [1] are doing.


85% [2] of organizations state that employees have accidentally shared sensitive information with phishers and social engineers. The best means of combating phishing fraud include raising awareness about phishing, implementing a robust suite of capable cybersecurity technologies, and ensuring that you leverage IT professionals to monitor and audit computing systems. Stay cyber-safe and phish-free!


[1] After phishing attack, Cobb County beefs up cyber defense

[2] What you need to know about phishing