The reasons for this are fairly simple
A number of education ransomware alerts have been published by the National Cyber Security Centre throughout 2020 and 2021, and more are expected over the coming year. 1000s of schools have been attacked over the past few years and many have resulted in long term problems for the organisations affected, including the staff, students and parents. And most cyber attacks start with a breach of the network security that can be linked to a phishing attack.
Whilst the rise in attacks was blamed partly on the pandemic and a rise in remote learning, the risk to schools will persist until they are provided with the tools to fight back. And these attacks are happening right now in our region. In the summer of 2021 a ransomware attack against schools in Kent actually caused several of them to close for several days whilst the data breach was resolved. And successful attacks or attempts are reported by schools across the region on a regular basis.
We all know that email phishing attacks are continuing to increase in complexity and frequency year over year. Hackers are employing more effective technology and methods, constantly honing their skills at crafting email campaigns that appear legitimate and safe.
Phishing is a cybercrime in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
You might have heard of phishing, vishing, smishing, quishing, spear phishing, whaling, but all the names mean is that there are a lot of different ways that a cyber-criminal is going to try and trick you. Criminals use all communication methods, so if a new method comes out, you can be sure a criminal will be there trying to exploit it. And these criminals are experts in getting us to act in the way they want, whether that is clicking a link or downloading an attachment.
Criminals use information from all over to create phishing messages. Knowing what information about you and your school can be found by a criminal can be extremely useful in understanding what information could be included within a phish.
For example, would you believe an email as genuine if it contained your username and password in it? Did you know that if your details have been released in a data breach, usernames and passwords are just one thing that could be known, along with your IP address, address, telephone number, in fact, any sensitive information you might give to a company?
If your college has recently announced that is starting to work with a new education support service called ilearn.com, a criminal could use that information to create a fake domain 1learn.com to trick you into communicating with them.
Would you click on a link which talked about 'New Government standards required for all schools and colleges – find out more here!’
If a message contains any of the following, really think before you click:
They want access to your systems but more importantly they want money – yours, your suppliers, or your customers. They don’t really care who it belongs to!
Phishing messages are usually designed to get you to click a link or download an attachment. They hope to either steal your login credentials or install malware on your systems, and once they are in your system, stealing your data is likely the next step for them. And after that they may hold you to ransom to get it back, they might just publish it all on the internet or they could simply destroy all your data without asking for anything. Or they may just wait for an opportunity to take advantage of their position in order to steal money from you, a supplier, or a customer.
All phishing depends on an element of social engineering or interaction with a person, so you really need to make staff engagement and upskilling a priority. ECRC has affordable student services who can deliver a bespoke training session tailored to your organisation and the risks it faces. Contact us to find out more.
Have a plan in place to deal with phishing attempts and successful attacks. Make sure your staff know how to report an attack and don’t put barriers in place to reporting, such as disciplinary action. Make sure you report all phishing attacks to report@phishing.gov.uk.
Phishing attacks can be very sophisticated and extremely difficult to guard against but making sure you know how and when an attack has taken place means that you can react in the right way. You really don’t want a staff member too scared to report a successful phishing attack and letting an attacker have an extended period of time in your systems.
The National Cyber Security Centre (NCSC) have created an enterprise Outlook add-in for staff to be able to report email phishing directly from their email box. The NCSC will the actively seek to disrupt the criminals sending these messages, protecting you from them as well as the wider community.
The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of data and permanent loss of reputation. But all is not lost.
Here at the centre, we would recommend that you consider
If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.
Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need. Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050).
Click to Open Code Editor