- Secure Schools ANZ Blog
- Why you should pay attention when a local school has a cyber attack
Why you should pay attention when a local school has a cyber attack
When one school in an area is hit, others nearby are often next. Attackers who compromise a staff email account gain access to an entire address book of local contacts - and they use it. Multiple schools across the West Midlands and Lancashire were targeted within weeks of each other in exactly this way.
Here's what's happening, and what you can do about it.
What is email compromise?
It's when an attacker gains access to a real staff email account and sends messages as that person. They get in by stealing login credentials through phishing, guessing weak passwords, or using automated attacks like brute force and password spraying.
Once inside, they're hard to spot - because the emails come from a genuine address.
Who gets targeted?
Attackers go after staff with the most access - leadership teams, business managers, and IT staff. These are the people who can authorise payments, access sensitive systems, and whose compromised accounts open the most doors.
Why do regional attacks happen?
Three reasons tend to compound each other:
- Shared domain names. Schools in the same trust or region often share similar email structures, making it easier to identify and target multiple organisations at once.
- Compromised address books. Once inside one account, attackers have a ready-made list of trusted local contacts to target next.
- Shared vulnerabilities. Schools in the same region or trust often run similar systems. Find one weakness and it frequently works elsewhere.
How to protect your school
1. Turn on multi-factor authentication - now MFA is one of the most effective defences against account compromise. If you haven't implemented it yet, start with leadership, business, and IT teams as a priority.
2. Don't overlook student accounts Student email accounts are a common and underestimated entry point. Consider restricting external email access, enabling MFA, and auditing folder permissions - through limited student accounts, our penetration testing team has been able to access sensitive data across entire school networks.
3. Get the basics right
- Use unique, hard-to-guess passwords. The NCSC recommends three random words, or a password manager.
- Don't publish individual staff email addresses on your website.
- Be mindful of what staff share publicly online - attackers use personal details to guess passwords and craft convincing phishing messages.
- Train all staff to recognise phishing emails.
What to do if you receive a suspicious email
Even if it appears to come from someone you know, check whether you were expecting it, whether the content sounds like them, and whether it arrived at an unusual time. If something feels off, contact the sender directly via a separate channel - phone them using a number you already have, not one included in the email.
Set up a dedicated reporting address (something like phishing@schoolname.com) so staff can flag suspicious emails without putting your IT team at risk from forwarded phishing messages.
Watch your suppliers too
Email compromise doesn't only happen to schools. Attackers can compromise a supplier's account and send fake invoices with fraudulent bank details. A school group in England lost nearly Β£400,000 this way - tricked into paying a builder's invoice into a criminal's account.
If a supplier changes their bank details, always verify by phone before making any payment.
If a colleague does fall for an attack
These are sophisticated attacks - they can fool anyone. Staff need to feel safe reporting mistakes without fear of blame. A clear incident response process makes that possible, and makes containment far faster.
Want to see how Secure Schools can help protect your staff from phishing and email compromise?
Request a demo from our team of experts.
