Email scams hit teacher, parent boxes as school restarts
7 mins read

Email scams hit teacher, parent boxes as school restarts

Online scammers are targeting teachers and parents as email inboxes fill up with crucial back-to-school information.

Deer Park Community City School District sent out a warning recently, after several staff members and at least one parent received a malicious email that seemingly came from a school administrator.

“All Email recipients of Deer Park Community City School District or anyone interested are encouraged to be a part of this amazing offer,” a scam email sent to district families and students read. “This is a part time job that will not affect your current employment or study at the campus & you’ll be working from home. It’s fun, rewarding, and flexible.”

It went on to describe that the job would require a few hours daily and pay $300, and offered a link to apply.

The recent phishing attempts at Deer Park haven’t led to data or monetary losses, officials said. But local districts have suffered major setbacks due to cybersecurity breaches in the past. In December 2023, West Clermont School District lost $1.7 million in a cyberattack.

Ohio doesn’t track cyberattacks through a mandatory reporting system, according to Kirk Herath, cybersecurity strategic advisor for Ohio Gov. Mike DeWine and chair of CyberOhio. But, anecdotally, Herath said K-12 schools are common targets. That’s because cybersecurity systems can be expensive, and school systems don’t usually prioritize cybersecurity ahead of staff salaries, curriculum materials and other education needs.

“What happened to this school district happens every week, somewhere in the United States,” Herath said.

Local district loses $1.7 million in social engineering scam

The December cyberattack on West Clermont School District was classified as social engineering, district officials said in a June newsletter to families. District administrators assured the community that no personally identifiable information was compromised and no student education records were involved.

Social engineering scams happen when criminals impersonate leaders in an organization and trick members of that organization into providing money or private information, Herath said. In West Clermont’s case, the attackers were able to divert several Automated Clearing House electronic payments to multiple bank accounts that were not owned by the district or any of its vendors.

The district declined to comment further about the investigation, as it is still active.

To prevent scams like this, Herath said, companies and government agencies, like schools, should have a confirmation process in place for big money transfers. Even a secret code word could save a lot of time and energy in case of a cyberattack.

“At a minimum, you should call up the person who ostensibly either called you or wrote you an email and confirm with them on their personal cellphone or something,” Herath said.

West Clermont officials said they contacted local and federal law enforcement about the attack, and the district is currently in the process of recovering its lost $1.7 million by working with its financial institutions, insurance provider and the Ohio auditor.

The district claims it had “robust preventative measures in place at the time of the attack,” and has since “implemented additional vendor authentication and payment protocols, including the discontinuation of ACH payments to all outside vendors.” The district also provides cybersecurity training to staff through individual and group sessions, according to the June newsletter.

“Although this loss is painful and upsetting, this will not impact the recent announcement of extending any expected request for new operational money until 2026,” the letter reads. “The district does not anticipate cutting any programs, services or employees.”

Cybersecurity support for local government agencies

While the National Institute of Standards and Technology offers cybersecurity guidance and standards, there aren’t enough cybersecurity experts to go around, Herath said. He suggests local government agencies band together to hire an expert who can help prevent and respond to cyberattacks for several networks. CyberOhio, a state initiative that coordinates Ohio’s cybersecurity capabilities and develops strategies, plans, and standards, offers grants that can help fund a role like that.

CyberOhio also has free services and training for local government entities, Herath said, but the center is not set up to be a district’s main service provider. The federal government has some assistance available through the Cybersecurity and Infrastructure Security Agency, also known as CISA, which also acts in an advisory role.

“I mean, it’s 2024. We’ve known now for well over 10 years, if not closer to 15 years, that cybersecurity threats, they’ve been growing exponentially every year,” Herath said. “And so, just as we have law enforcement, just as we put locks on our windows and doors and alarm systems and everything else to secure our buildings, we need to provide reasonable levels of cybersecurity for digital technology.”

Schools don’t need to spend oodles of money on cybersecurity, he said, but just enough to make their network inconvenient for scammers to hack.

“Any bad guy with enough time and intent can break into and steal what they want,” he said. But they do tend to “go after weak links.”

What to do if you get a phishing email

In the weeks leading up to the start of fall semester, Deer Park leaders said several staff members received phishing scams to their personal emails from an unknown account, “[email protected],” which pretended to be a school principal.

“Please send me your phone#. Thank you,” the email read.

In another phishing attempt, someone using the name “Yolanda Shimek” emailed staff members while attempting to impersonate Jay Phillips, the district’s superintendent. In the email was a link to a shared Google document that could compromise the target’s account. District leaders advised staff to not click on the link and to reach out to the district’s leadership team if they see any other suspicious messages.

School districts typically do not ask for personal information via email. At Deer Park, for example, all personal information is kept secure through FinalForms, the district’s official data collection and management system.

Deer Park offered the following tips for parents and staff:

  • Double-check the sender’s email address. All emails from official district personnel will use the school’s domain. For example, at Deer Park that would be “@dpccsd.org.”
  • Don’t click on suspicious links. If an email contains a link or attachment you aren’t expecting, don’t open it and instead delete the email.
  • Trust your instincts and don’t act in haste. Urgent requests that pressure you to quickly provide personal information are common among phishing emails and scams.
  • Let your school leaders know, and have them verify if an email is genuine if you are unsure.

Community members can report suspicious emails by forwarding them to school administrators.