School districts manage many traditional risks, including operational, compliance and program risks, as part of their daily operations. Cybercriminals, however, are putting a new risk on your radar – the “click risk.”
The days of obvious and even comical scams to steal your money or information are history. Today’s cybercriminals are sophisticated and have become a pervasive part of our day by using well-thought-out attacks to lure unsuspecting employees into sending them money and confidential information via simple email clicks. Proven tactics for generating email clicks include mimicking legitimate companies’ emails, using readily available social media or school district websites to create personalized emails, and using phony emergencies to prompt quick action. All of these methods have the same goal: steal your money or gain access to your network.
How does it work?
Cybercriminals are taking advantage of our busy lives and full email inboxes by developing realistic emails that include plausible requests targeting you and your co-workers. For example, using social media or even the employee directory available on your district’s website, cybercriminals will send a reasonable request such as “change your password” or “transfer money to this account” to a district employee from another district employee or vendor. The email will look legitimate but, once an employee clicks on it, malicious software could be installed on that computer, giving the cybercriminal access to software and passwords. Other attacks could even walk an employee through sending money directly to cybercriminals.
Recently, in Florida, a city employee was tricked into following instructions in an email sent by a cybercriminal. As a result, malicious software was installed that locked the city out of their email and computers. The city’s systems remained locked until they paid the cybercriminals’ demand for $600,000 in bitcoin.
How can the risk be reduced?
Several low-cost ways to manage the “click risk” are available.
First, back up all data routinely, including your accounting and pupil information systems, emails and all network files. The backups should occur automatically, be stored off-site on regular intervals and be tested at least annually. If your software is backed up or hosted by a vendor, make sure you understand the vendor’s security system and how the vendor’s restore process works.
Second, be proactive and train your district’s employees. Emails sent by cybercriminals will include red flags that can be quickly detected with simple training. These programs offer low-cost training via short videos that help employees detect red flags and delete the emails before clicking on them.
Finally, take the “click risk” seriously regardless of your district’s size. Cybercriminals win any time they hijack your files or have you transfer money outside of the district regardless of the amount. As large organizations invest increasing amounts of time and money to combat cybercriminals, it is more likely that smaller organizations – which are more likely to be unprepared – will become cybercriminals’ new preferred target.