The Manor Independent School District, which is located about 20 minutes away from the state capital, Austin, reported that it had been hit with a phishing scam on Friday. According to CNN, the scam involved three separate fraudulent transactions that were carried out in November. The school district reported that the local police department and the FBI are investigating the incident.
District officials said that though the investigation is ongoing, there are strong leads in the case.
Many organisations place a lot of emphasis on cyber security by way of investing in technical controls such as firewalls, endpoint protection, or monitoring. While these are important to have, it is equally essential to focus on protecting people.
Cybercriminals will attack organisations with the intention of getting the highest return on investment. Usually this translates into social engineering attacks, which are, in essence cons against people to do things against the interest of the company.
This usually occurs in the form of phishing emails, but can also be sms messages or phone calls. Therefore, organisations should take time to invest in providing security awareness and training so that they can be better-prepared to identify and report any suspicious activity.
Once again, a single instance of human error has resulted in huge financial repercussions for an organisation. However, this case is particularly concerning because the Manor Independent School District is responsible for the sensitive data of thousands of Texan students. Organisations such as these must invest in security, or the potential consequences could be more than just financial.
There is no doubt about the importance of training employees to recognise these modern phishing techniques. Unfortunately, emotions often take over from reason in these situations and no amount of training can account for this. Organisations need to have systems in place to prevent employees being exposed in the first instance.
Employee awareness needs to be combined with a robust, multi-layered approach to email security. Traditional pattern matching technologies are useless against these modern techniques and organisations need to combine algorithmic analysis, threat intelligence and executive name checking to efficiently protect themselves.
Phishing attacks such as this are sophisticated, meticulously planned, and strategically executed leaving very little time to react. It is unfortunate that in this case the phishing scam was able to recur three times and resulted in millions lost.
In order to mitigate the risk of phishing scams moving forth, Manor ISD must implement a custom security strategy that provides fine-grained user access control. By deploying adaptive Multi-Factor Authentication, organizations are able to significantly enhance security with additional user authentication – both at login and inside an application. Contextual controls also mitigate cyber risk by adapting policies in accordance with changing context of user access. Furthermore, by deploying granular logging and real-time analytics, an organization gains comprehensive insights into user activity.
When armed with actionable data, Manor ISD can identify suspicious activity immediately and take remedial measures before an attack results in costly damages.
Phishing is a top cyberattack vendor – and threat actors are applying the same targeting expertise as advanced marketers. The imitations are well executed and offer enticing messages to trick a recipient into clicking on a malicious link or share sensitive data. In this case, the scam was so convincing that someone transferred millions of dollars. Cases such as the Manor ISD attack demonstrate the need to coordinate secure controls and continue to raise employee security awareness in 2020.
Educational institutions and schools are urged not to underestimate the risks associated with phishing. Malicious emails are often just entry vectors for larger-scale attacks, and should, therefore, be at the top of organisations\’ priorities when devising a cybersecurity strategy.
Granted that it has become increasingly difficult to tell phishing messages from legitimate ones, organisations should instruct employees not to click on any link received by an external email address and not to open attachments. Ultimately it is always better to take a little longer to complete administrative tasks than to have credentials stolen or databases breached.