Given that it’s the beginning of a new year, it’s important to remember to be careful what you click on. A school district in Texas learned this the hard way when it lost approximately $2.3 million due to a phishing email scam.
The Manor Independent School District, which is located about 20 minutes away from the state capital, Austin, reported that it had been hit with a phishing scam on Friday. According to CNN, the scam involved three separate fraudulent transactions that were carried out in November. The school district reported that the local police department and the FBI are investigating the incident.
District officials said that though the investigation is ongoing, there are strong leads in the case.
Although phishing scams can appear minor when compared to cyberattacks like ransomware or data breaches, this incident reminds us that they can cause serious damage. The U.S. Cybersecurity and Infrastructure Organization (CISA) defines phishing as a social engineering attack in which an individual aims to obtain or compromise information about an organization or its computer systems.
In phishing scams, attackers use email or malicious websites to obtain information by pretending to be representing a trustworthy organization, such as a well-known credit card company or financial institution. They may also attempt to impersonate other organizations, including charities. Once the attackers get the information they’re looking for from unsuspecting users, they use it to gain access to the accounts they seek.
And phishing scams are also getting more sophisticated and creative. In December, Microsoft published an article on the most notable phishing campaigns it spotted in 2019. In one case, Microsoft said attackers were putting poisoned links in Google search results and using traffic generators to ensure that the phishing page was at the top of search results for certain keywords. The company also highlighted the use of custom 404 Not Found pages, which attackers used as phishing sites.
Nonetheless, there are common indicators that you can watch out for in order to protect yourself from these attacks. CISA recommends analyzing the sender’s address, as the attacker usually tries to replicate emails from real businesses, and check for differences or missing characters. You should also be cautious with emails that use a generic greeting, such as “Dear Valued Customer,” or a generic signature, as a trusted organization will normally provide their representative’s contact information.
Additionally, it’s important to be careful with hyperlinks in suspicious emails. While a hyperlink may appear legitimate, hover over it and ensure there are no variations in the destination domain. Grammar and formatting are also important. No professional organization is going to send you something with a messy format or lots of spelling mistakes.
Anyone can have the misfortune of falling for phishing scams. In this case, we don’t know the exact details. However, in today’s society, we work at the speed of lightning, which means we may not be as careful as we should when opening emails or clicking on links. Plus, it’s also not easy when attackers are always developing new ways to try to con us. But incidents like this remind us that a little bit of extra time and caution can possibly save us, and our organizations, from a big headache.