What if one email cost you $1.5 million?

How Salem-Keizer School District faces the rising tide of phishing attacks

The email itself was unremarkable. It arrived on a weekday in June, addressed to the accounts payable department of the Salem-Keizer School District. It came from a company working on school construction — let’s call them Acme Construction — with a simple request: would they mind updating the direct deposit with the following information?

This email wasn’t from Acme Construction. It was from hackers who had done their homework. They’d registered the domain of the company — as acmeconstruction.us instead of acmeconstruction.com. They replicated the company’s website, in entirety, on their new domain. They even knew, through snooping, that this employee used a shortened version of their name, and addressed them as such.

But after years of training, the employee was prepared, and promptly forwarded the email to Bob Silva — and, in doing so, saved the district from losing $1.5 million dollars.

Silva, who has served as the director of technology and information services for SKSD since 2015, credits constant staff security trainings — supplemented by a healthy dose of fear — but still stays up at night, worried that this won’t be enough.

“The bad guys only have to win once, but we have to win every time.”

Across the U.S., hackers are increasingly targeting educational institutions in addition to corporate and government targets. They’ve found victims who are, in many cases, woefully unguarded, and in a case exactly mimicking the above scam, stole $1.9 million from a university that could not be recovered.

Attacks against schools are on the rise in both scope and severity. In late July, Louisiana Gov. John Bel Edwards declared a statewide emergency after malware attacks disabled three school districts and seemed poised to spread to other government agencies. It was a sufficient threat that the Louisiana National Guard, Louisiana State Police, the state’s Office of Technology Services and Louisiana State University, among others, joined in the fight.

While it’s not just schools that can fall victim — Facebook and Google lost a combined $500 million to similar direct-deposit scams — SecurityScorecards’ 2018 Education Cybersecurity Report notes that out of the 17 major industries in the U.S., education comes in last place for overall security.

A phishing email that was sent to Salem-Keizer employees, which perfectly mimicked an email from CIO Bob Silva.

The threat arrives on multiple fronts: the proliferation of software and devices in the classroom leave schools with weak points, while overtaxed IT departments don’t upgrade rapidly or regularly. Adding to the complications are questions of FERPA (Family Educational Rights and Privacy Act) compliance, which can limit options and demand even more from IT.

Then, of course, there is the biggest vulnerability of all — each and every employee (and, sometimes, parent and student) properly evaluating each and every email they receive.

“The bad guys only have to win once, but we have to win every time,” said Erich Kron, a KnowBe4 cybersecurity evangelist. He entered the field in the 1990s, eventually becoming the security manager at the 2nd Regional Cyber Center for the Army.

Phishers target and scam in constantly evolving ways. But, Kron noted, like con artists and grifters since time immemorial, they succeed by playing to human psychological vulnerabilities.

“If you get an email, or a phone call, or a text message that elicits an emotional response, be very cautious with it,” Kron said. “They use emotions to get (you) to bypass critical thinking … they use anger, they use fear, they use urgency.”

“The creative ones will start impersonating parents.
They’re just getting smarter.”

A perfect example, he said, is a message that looks as though it comes from a boss demanding immediate action— which people too often take. In fact, one phishing scheme targeting SKSD looked like it had come from Silva himself, asking employees to open and read a Google Doc.

That stress and urgency cause people to act fast.

“Of those people who click (on an unsafe link in an email), 55 percent do it within an hour,” Kron said.

On the other hand, Silva said, he uses those same emotions to reinforce the need for constant vigilance.

When asked whether he has trouble instilling the right amount of fear in employees, he laughed.

“It’s easy to give them the proper level of fear, and I’m good at that,” he said. “I tie it to their personal lives rather than the effect at work. It’s not a knock against them. They’ve got a lot of other stuff to worry about. They’ve got 30 kids in the classroom and 60 parents. But you start talking about their bank account and their kids? They start listening.”

After the simulated phishing attack KnowBe4 alerts administration and staff to vulnerabilities, then offers ongoing training.

As part of staff awareness efforts, Silva has partnered with KnowBe4, who specializes in launching simulated phishing attacks against organizations. These simulated attacks help identify vulnerable groups or individuals then offers extensive employee trainings.

“After we do a simulated phishing attack, we analyze the results and, based on who became a victim, we report back to all-staff in what we call a Phish Tank episode.”

Still, Silva said, cybersecurity is a mountainous task for the district. He estimates they get 50 unique — which means thousands, total, as each goes out to so many — phishing attacks per day. He has a team of four to work on this, and estimated that it takes the equivalent of one full-time employee.

During each KnowBe4 campaign, he said, all student records have been compromised.

“Not just the current students — students going back ten years,” he said, adding that $148 is the industry-standard cost per lost record.

“So you’re talking about 300,000 records at $148 per record — that’s $44.4 million,” he said, adding that there is also the potential for legal consequences.

“There’s nothing that would prevent the federal government from investigating a school after a data breach, finding them negligent and charging a fine.”

The problem is not going to get better, he said, and is instead getting actively worse. He noted that a 12-character password that might have taken a quintillion years to crack a few years ago now takes three years.

“That changes the standard, because that’s for one password — you put a network of computers together, and you’re down to weeks and months.”

This, he said, is combined with increasingly clever techniques.

“The creative ones will start impersonating parents. They’re just getting smarter,” he said. “There’s two things they’re after — our student information systems and our money. Right now, they’re generally after the money.”

That may soon change, he said, especially when considering the depth of info schools now gather on their students.

“They haven’t figured out the value of our student info yet,” he said. “As soon as hackers find out how easy it is to get a bunch of fresh, clean identities … school districts across Oregon, across the United States, who have kept their heads in the sand are hosed. There’s nothing they’re going to be able to do to prevent the breach.”

— Kelly Williams Brown

Education pricing for KnowBe4 is available through OETC

Past Spotlight Posts

Equity by the Numbers: Newberg schools dive deep on data — with surprising results