Phishing Campaign against k12 schools and universities

For the last week or two, a new phishing campaign started to target k-12 schools and universities.

A couple of school IT administrators emailed us asking if we ever saw something like this before, so we think this is a good opportunity to remind everyone to be watchful for those phishing campaigns. Phishing campaigns happen very often and have many variations, but this last one seems to be more mass spread against a large number of schools at the same time.

Phishing Scam Emails — Are you Available?

This last phishing scam campaign is actually very simple and tries to convince teachers and staff members to buy gift certificates and send them back to the scammer.

The email subject just says: “Follow up” or “Are you Available” or similar variation and asks the person to reply back asap. If the person replies, the scammer replies back that he is busy on a meeting and that he needs a $200 or $300 gift card from Amazon or iTunes. Very similar to what was reported here months ago.

Mmmmm… Phish flavored spam… We’ve been getting a lot lately where the miscreants are setting up a headofschool####@gmail.com account with the name setup as, you guessed it, our head of school and then emailing the entire campus. End goal: gift cards.

In this new campaign, we are seeing 2 email formats:

headofschoolSCHOOLNAME@gmail.com
principal.SCHOOLNAME@gmail.com

Along with the old one of just headofschoolRANDOMNUMBER@gmail.com. As silly as it may sound, people still fall through for it. Specially on mobile, where seeing the real email is not as easy. We heard reports of teachers buying and losing a few hundred dollars because of it.

Update: There are 2 recent redditthreads about this same subject. And in one of them an employee paid the scammer:

Not sure if anyone has seen this, but three schools I support has seen it today alone. The email address is headofschool[randomnumbers]@gmail.com but the name on the account has been an administrator. Subject has been “Follow Up” and message just says “Are you available?” One employee responded to this and they ended up getting them to send $100 in iTunes gift cards.

Protecting against this Phishing Campaign

For this specific campaign, we recommend that you go to your Email provider and:

  • Black list any sender containing *headofschool*
  • Black list any sender containing *schoolname*@gmail.com
  • Black list any sender containing *principal*@gmail.com

But for the long term, one of the best investments you can do is to engage into some type of school wide phishing training to get the teachers and rest of the staff aware of phishing and its dangers.

Duo Insights is a good and easy to use product (not affiliated with us) if you are looking for such solution. Knowbe4 also seems to be well recommended.