How Phishing Works and What Your District Can Do About It


Right now, criminals could be trying to steal your much-needed funds and, ultimately, compromise your ability to deliver a quality education to Texas school children.

The scam is called phishing, and its perpetrators – known as cybercriminals – are responsible for some of the largest thefts involving school districts in recent years. This includes a recent attack which resulted in a $2.3 million dollar loss. Though districts should always be on guard against such attacks they often increase as tax filling season approaches. The TASB Risk Management Fund recommends seven simple steps that can help districts avoid becoming victims.

How phishing works

The cybercriminals behind phishing scams are wolves in sheep’s clothing. Masquerading as legitimate vendors, and even as employees or staff, they trick unsuspecting districts into sending money directly to them. Phishing scams come in many forms, but the three most common are:

  • Bogus invoice/wire transfer: Cybercriminals call, email, or fax, posing as a supplier, vendor, or contractor, and request transfers for payments to an account they own. Because these scams have no malicious links or attachments, they often evade technical controls, such as email filters.
  • Staff impersonation/executive fraud: This scam hinges on cybercriminals creating fake emails that appear to be from someone in a position of authority, such as a board member, CFO, or superintendent. The email targets employees who have access to the bank account, and the request is often marked urgent to encourage recipients to bypass approval procedures.
  • Account compromise: Instead of creating fake emails, cybercriminals hack directly into a victim’s email account. The victim could be someone in a position of authority, a vendor, or even an employee or staff member. The email requests invoice payments to vendors or contacts in the victim’s address book. In the case of employees and staff, the scam involves a seemingly legitimate request to modify payroll information. The attacker sets “rules” in the email account to ensure the real employee is never notified about the changes. Attackers can also target social security numbers, dates of birth, and other personally identifiable information to conduct W2 fraud and identify theft. That is why it is important to confirm transaction requests via a means other than email (see #2 below).

What you can do about it (Read more about the 7 tips here)

  1. Limit the information your district shares
  2. Confirm the transaction request
  3. Avoid wire transfers when possible
  4. Assign designated contacts
  5. Implement controls with financial institutions
  6. Train your staff
  7. Work with IT

This article was originally published in InsideRM in November 2018, then updated for accuracy and comprehensiveness on January 21, 2020 by Lucas Anderson, Jessica Clark, and David Wylie.

Back to top