To at least one St. Johns County teacher, the email sent to him in August looked normal. It was a message that appeared to be from the principal of his school.
“In a meeting, phones not allowed, can you help me get an iTunes Gift Card from the store right now? I will REIMBURSE you back today. I need to send as a birthday gift,” the email read.
The teacher purchased $500 in gift cards and sent photos of the cards off to another provided email address. Soon after, the teacher discovered the whole thing was an email scam.
At a St. Johns County School Board workshop held last week, Bruce Patrou, the district’s IT chief, detailed the recent spike in “spear phishing” attacks throughout the school district. The attacks usually involve a custom email scam targeting a specific individual or group to steal passwords or install malicious software – or in the case of one teacher, take money.
“It’s all around,” Patrou said Wednesday. “This problem is prevalent across the United States.”
Patrou said the same tactics used by Russian hackers to access Democratic National Committee emails in 2016 are being deployed against St. Johns County teachers.
An email sent to 1,300 SJCSD staffers in July was disguised as a security update. The email was complete with SJCSD logos, asked for employee IDs and provided a link to update the teachers’ accounts.
“The emails look realistic, but they are not,” Patrou said.
So how do you stop it? A big part of prevention is education, Patrou said.
Teachers and staff are sent warnings about recent spear phishing attacks and how to spot one. But it’s not enough. Patrou is recommending that schools across the district remove elements from school websites that make life easier for hackers.
“One measure is we want to begin minimizing email list on school websites that are being used against us,” Patrou said.
Instead of listing full names and emails for all teachers and staff, Patrou is recommending schools use just last names and scrub emails from the website. Instead, Patrou said, teachers would give their email addresses directly to parents. He also wants to implement new email tools meant to prevent hacking and funnel all phone calls through one central phone number.
Patrou pitched his ideas to the school board during the meeting and they were receptive to the proposed changes.
“We are expecting to trim down websites in the very near future,” Patrou said.