6 Cyber Threats for the 2024-25 School Year

Cybercrime constantly evolves. If staying one step ahead of hackers is stretching your resources thin, you’re not alone. The Fund is here to support you. Here are six cyber threats you need to protect against this school year.

1. Artificial Intelligence (AI)

School employees may use AI-powered tools for a variety of tasks: creating lessons plans, automating administrative duties, anticipating and addressing equipment failures. Cybercriminals use the same technology to do their jobs better, too. And educators are on alert.

In a May 2024 report from the Consortium for School Networking:

• 63% of district tech leaders feared cybercriminals would harness AI to launch increasingly complex cyberattacks.
• 49% were concerned teachers lacked the training to navigate AI integration into instruction and student use of AI for composition.
• Other concerns included new methods of cyberbullying via deepfakes, the intentional spread of misinformation, and threats to student data privacy.

What You Can Do

1. If your school board has already adopted an AI policy, familiarize yourself and adhere to it. If your organization hasn't adopted a policy, reach out to your TASB policy consultant for assistance with language to address AI in your local policies and administrative regulations.
2. Include AI guidelines in your local acceptable use policy (AUP). These guidelines should address how staff and students are permitted to use AI in teaching and completing assignments
3. Address disciplinary actions for cyberbullying and spreading misinformation in your AI policy.
4. Ensure that patches and updates to your firewalls, operating systems, software platforms, and other security appliances are installed promptly.
5. Educate your staff on AI-driven social engineering techniques. Remember that video and audio impersonation are getting more sophisticated.

2. Business Email Compromise/Fraudulent Instruction

Business email compromise happens when highly sophisticated emails appear to come from legitimate companies or third-party vendors. These emails may request sensitive information such as tax forms or Social Security numbers. Similarly, fraudulent instruction is the transfer of funds by an employee to a third party as a result of deceptive information provided by a criminal claiming to be someone else, typically a vendor, client, or authorized employee.

These attacks are usually preceded by significant observation and research that allow cybercriminals to pretend to be legitimate business partners. In some cases, hackers even infiltrate a company and send a “legitimate” email from within a partner organization. We have seen a significant increase in these attacks directed at the education sector.

Last summer, a Connecticut school district made six payments totaling $6 million to cybercriminals posing as the district COO. Millions of dollars have been similarly stolen from Texas districts.

Related resource: Download this cheat sheet to help your finance professionals fight cybercrime.

Fraudulent Instruction Requirement for Fund Members

The Fund Data Privacy and Information Security Coverage Agreement requires members to authenticate a payment-related instruction independently from the received communication. Read Part C § 4.29 of your agreement and make sure you understand the terms. If you don't authenticate the instruction as indicated under § 4.29 (A), coverage likely will not apply. Do not rely upon information within the payment request when contacting third parties for authentication purposes, and always verify contact information changes that occur during your relationships with third parties.

What You Can Do

1. Begin using a system of checks and balances so no single employee has the authority to change third-party financial information such as routing and account numbers without secondary authorization.
2. Implement a policy that requires confirmation by a different method when vendors, contractors, or other external partners request a change in financial information. For example, if a contractor requests a routing number change in an email, call an established point of contact to confirm the request is legitimate. Do not change financial information until the established point of contact confirms the request is legitimate.
3. Train your staff on common social engineering tactics such as spoofing, phishing, and spamming.
4. Encourage staff, especially accounting staff, to think twice, then three times before complying with potentially suspicious financial requests.

3. Back-to-School Ransomware

Hackers prefer to hit early in the morning or late in the afternoon, especially Monday morning and Friday around quitting time. They hope employees will be focused on work opening/closing tasks, not quite awake, or distracted enough to mistakenly click a bad link or open a malicious file. This holds true in early fall, as employees attend to the details of a new school year. 

In March 2023, Minneapolis Public Schools refused to pay a $1 million ransom to cybercriminals who locked down their network. The criminals responded by dumping 300,000 stolen files, including student medical records and discrimination complaints, onto the dark web.

What You Can Do

1. Build strong relationships with your FBI field office and regional CISA cybersecurity advisor.
2. Maintain offline data backups.
3. Ensure all backups are encrypted.
4. Review vendor security.
5. Monitor external remote connections.
6. Develop and implement a recovery plan.

4. Distributed Denial of Service (DDOS) Attacks

Imagine a hallway built to accommodate two people. If 100 people try to walk the hall and enter the same room, traffic flow stops. That’s how a DDOS attack works. Criminals disrupt a server, service, or network by overwhelming the target or its infrastructure with a flood of internet traffic or requests for access.

Schools experienced a 258% increase in DDoS attacks between 2022 and 2023, according to the Version 2024 Data Breach Investigations Report. Attacks are carried out by external cybercriminals as well as insider threats like disgruntled students. Effective DDOS attacks can shut down school networks for days or weeks, depending on severity and the amount of traffic directed at your organization. They can also disrupt standardized testing schedules and other critical educational and administrative functions, including payroll.

Case Study

In May 2024, a high school student launched a DDOS attack that disrupted standardized testing for 24,000 students. The student simply accessed websites that launch DDOS attacks for a fee. In fact, he spent less than $20 to launch his attack from his school-issued Chromebook.

What You Can Do

1. Consider using a backup internet service provider (ISP) in case your primary ISP suffers a DDOS attack. A backup ISP could have your organization back in business in minutes.
2. Identify sites that launch DDOS attacks for a fee and block their IP ranges from communicating with your network.
3. Incorporate DDOS in your acceptable use policy and explain the consequences any student who launches one will face.
4. Use a load balancer to spread network or application traffic across endpoints on multiple servers during peak (or maliciously elevated) traffic times.

5. MaaS/RaaS/SaaS

Many organizations use software as a service to easily update and configure cloud-based software into local network environments. Malicious actors have mirrored this model to offer dark web-based ransomware as a service (RaaS) and malware as a service (MaaS). 

In a related scam called SaaS ("swatting as a service"), students access the dark web and hire malicious actors to phone in bomb threats or active shooter alerts to districts. In some cases, the goal is to avoid an exam. In other cases, students direct criminals to attribute the threat to a perceived enemy such as a peer. This cyberscam is growing quickly.

What You Can Do

• Educate your staff about possible false alerts.
• Incorporate disciplinary actions into your acceptable use policy.
• Inform students about the repercussions.
• Offer tech-savvy students other avenues to use their skills. Examples include local cybersecurity teams, CyberPatriot, and Certified Ethical Hacker training.
• Work with local law enforcement to verify whether phoned-in threats are legitimate.

6. Unpatched Servers

Software companies release patches to address security gaps in their products. Unpatched servers leave networks vulnerable to cyberattacks such as LockBit 3.0, which was responsible for an increase in ransomware attacks against schools in 2023. 

What You Can Do

• Speak with your IT team regularly regarding your patching and updating protocols.
• Ensure that routine data backups are run and that the backup system works properly.
• Confirm with your IT team that the Microsoft Windows file-sharing protocol, known as Server Message Block 1, is patched or upgraded to versions 2 or 3 on your system.

Editor's note: This article was originally published in August 2019. It has since been updated for accuracy and comprehensiveness. 

Have Cybersecurity Questions?

Members with Privacy and Information Security coverage can request training and support from our Privacy and Cyber Risk Consultant Lucas Anderson at 800-482-7276, x2893 or lucas.anderson@tasb.org.

Editor's note: This article was originally published in August 2019. It has since been updated for accuracy and comprehensiveness.