FAQs about our Phishing Simulations
Q- Why are we doing these phishing simulations?
A- Our insurance company, MUSIC, requires us to do these in order to stay in compliance with their policies. Directly from MUSIC’s website - “Educating employees on common cybersecurity threats is vital if schools are to prevent and reduce malicious breaches. Schools are one of the most vulnerable entities for cybercriminals, and most of these attacks are triggered by human error. Employee training should include recognizing and detecting cyber attacks, including email phishing and internet surfing dangers.”
You can read more about this here: https://en.calameo.com/read/00689887477ff59256f0a?authid=1v360tu6c8eO
We are doing these phishing simulations for the same reasons we do fire drills, tornado drills, earthquake drills, intruder drills, and every other drill- to test the readiness of what to do when this happens. No one wants to be the person that clicks on a link that encrypts all your school's data until a hefty ransom is paid. Likewise, we don’t want the negative repercussions, including reputational damage, associated with a student information data breach.
Q- Why did the phishing email from April 12, 2022 come from Rich Stilley’s actual email address?
A- THE EMAIL DID NOT COME FROM RICH STILLEY’S EMAIL. The software that was used can impersonate any email. This was to simulate his email getting hacked. Real threats will act like they are coming from someone you know or a company you are familiar with. Most cyber criminals target a company before attacking. The phishing attack will be as close to a real email as possible to fool the end user. This is a job to them, they get paid very well.
Q- Why would you send an email about filing our paperwork for insurance when April is insurance enrollment time and we typically receive those emails from Rich?
A- These phishing simulations, which are authorized by Susan Johnson, are to raise awareness that phishing emails can be very legit, coming from someone you know at a time you would expect. The purpose of this was not to “waste your time”, as we understand that everyone is very busy this time of year, however you will also most likely be very busy when a real phishing attack takes place. Remember a real phishing attack can take down the network and stop teachers from being able to use technology for an unknown time. This was also done to help teach you what to do if this was a real scenario and you clicked the link and entered your information.
Q- How do I recognize phishing?
A-Phishing emails and text messages may look like they’re from a company you know or trust. They may look like they’re from a bank, a credit card company, a social networking site, an online payment website or app, an online store, or even someone at work.
Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment. They may:
-say they’ve noticed some suspicious activity or log-in attempts
-claim there’s a problem with your account or your payment information
-say you must confirm some personal information
-include a fake invoice
-want you to click on a link to make a payment
-say you’re eligible to register for a government refund
-offer a coupon for free stuff
Q- How are you supposed to know the phishing email was fake, it looked so real?
A- Some more elaborate phishing schemes you cannot tell the difference on whether it is fake or real, especially if it looks to be coming from someone you know. The BEST practice to avoid getting phished is to:
Q- I accidentally clicked the link in an email and/or entered my information. What do I do now?
A- If for whatever reason you clicked the link in an email and entered information, but now something isn’t right (the website isn't working, a 2nd popup comes up asking you to sign in again, someone came to you saying the email was fake) PLEASE contact the technology department IMMEDIATELY. Call us at (573) 231-0055, email us at firstname.lastname@example.org OR email@example.com and let us know what happened so we can prevent data breaches of confidential student and staff information, malware or ransomware.
When in doubt, contact the IT department. We will investigate for you. This is so important to us, that we do not get hacked, that we will spend our time calling to verify.
In the past year we have had many examples. Here are a few:
A teacher received an email from a company saying that she had been selected as one of McDonalds “Outstanding Educator” Awards. She was going to receive a gift card and awards. The teacher was suspicious and sent it to us. We verified that the company was real and contacted them. She indeed has been selected and was awarded the prizes.
An administrator received an email from a known colleague in education at another school. The email address was legit. It had a google doc attached. When the administrator clicked on the link it took them to a google login. They logged in with their credentials and were taken immediately to another google login. The administrator called the Help Desk immediately and we changed their passwords. We contacted the school and reported that an email had come from one of their employees. They notified us that they had just found out the account had been hacked and were working to notify everyone that had received the email. Calling the Help Desk helped keep the accounts from being used to gain student information.
Teacher’s all over the district have received emails that looked like they came from their principal asking them to go to Walmart and get gift cards. Many teachers responded to these emails. The scary part was that not one teacher received an email from a principal that they did not work for. The “Bad Guys” knew where each teacher worked and who they would respond to if asked to go get money for them. Luckily our teachers got suspicious and contacted the principal who reported it to the technology department.
Just recently MSTA sent an email asking members to update their information. The email had a link for yes and no. This was reported by one of our staff as suspicious. We contacted MSTA headquarters and they confirmed that they had sent the email. When we told them it looked like a phishing email they agreed. Next time they are going to have the school district representative send an email letting everyone know that there would be an email asking for them to confirm their information.
Here are more cyber security resources from our insurance, MUSIC: