Why and how do cybercriminals target schools?

Schools hold large amounts of personal data, which is the primary reason cybercriminals target them. To an attacker, this is data they can use for fraudulent activity or sell to others. Some criminals play the long game and will hold onto children's data until the child is eligible for credit. Once they are, they will take out credit cards and loans in the child's name or sell the data to others to do the same. 


The second reason is that schools are seen as easy targets with little understanding, time or resources to keep their systems safe. Add to this the helpful nature of busy teachers, and it is easy to see why schools are hit.


The Sophos State of Ransomware in Education 2023 report outlines the top three ways schools are attacked. These are exploited vulnerabilities, compromised credentials and malicious emails.

Guarding against these types of attacks

Exploited vulnerabilities

Cybercriminals find holes in software, systems and networks and see them as an easy way in. Many of these vulnerabilities are easily patched by software and operating system updates and by not using legacy software that's no longer supported.


Most software updates are free to the end users and, although they can be inconvenient, are easy to install. Despite this, our team of vulnerability scanners usually finds a list of this type of vulnerability in every school they scan, demonstrating it can be easily missed. Some of these vulnerabilities can open the school up to serious risk of an attack.


The easiest way to reduce your school's vulnerabilities is to run software and system updates continuously and to shut down devices so these updates are recognised regularly.

Compromised credentials

This is when an unauthorised person gains access to your accounts using your valid credentials. Compromised credentials can happen in several ways, and most are easy to protect against.


Using secure passwords that aren't written down or reused for different accounts is number one in protecting your credentials. Secondly, using multi-factor authentication whenever available makes those accounts very difficult for someone else to access. Thirdly password managers are another step in keeping your details safe.


If one of your accounts has been compromised, changing that account's password is essential. And if you have reused that password, changing it on those other accounts is too.


If you have high levels of access to software and systems at school, cybercriminals are more likely to target you. This is called spear-phishing, and it is critical that you carefully protect these accounts and only have the level of access you need to perform your role.

Malicious emails

Malicious or phishing emails are a type of social engineering attack. A clever attacker will discover what they can about you from your social media profiles and even the school website. They'll then send messages relevant to you in the hope that you are more likely to respond. This is spear or whale-phishing. Often attackers randomly target compromised email addresses until one of their messages is successful.


Malicious emails are designed to pressure or trick you into doing something. This could reveal your credentials, such as login or bank details or clicking links or attachments that download malware.


It is important to check the validity of every email you receive. Our blog, Three ways to protect yourself against a cyber-attack, outlines key protections against malicious emails.


How can we help?


Staff training

The Secure Schools staff awareness training includes modules on social engineering and password management and expands on the points raised in this blog.


Start a free trial of our training module here

Vulnerability scanning

Our vulnerability scanning checks for any risks within the school’s network and recommends which patches are needed to fix them.


Speak to one of our team about this for your school or group by emailing hello@secureschools.com


Read the Sophos State of Ransomware in Education 2023 report here