A Texas school district has found out the hard way that phishing attacks remain a serious financial threat to organizations of all shapes and sizes, losing an estimated $2.3m in a recent scam.
Manor Independent School District took to Twitter to post official confirmation that the FBI is currently investigating the incident.
“This investigation is still ongoing and although there are strong leads in the case we are still encouraging anyone with information to contact Detective Lopez at the Manor Police Department,” it added.
According to reports, three separate fraudulent transactions took place in November last year following the phishing attack, although there are few other details to go on.
The news comes as school districts in the US battle against a growing threat from ransomware.
Data released by Armor in December 2019 revealed that 72 districts had been impacted during the year, affecting an estimated 1039 schools nationwide. Separate findings from Emisoft released at the end of the year claimed as many as 1224 schools may have been affected.
Javvad Malik, security awareness advocate at KnowBe4, argued that employee error needs to be addressed more effectively by organizations at risk of phishing attacks.
“Cyber-criminals will attack organizations with the intention of getting the highest return on investment. Usually this translates into social engineering attacks, which are in essence cons against people to do things against the interest of the company,” he added.
“This usually occurs in the form of phishing emails, but can also be SMS messages or phone calls. Therefore, organizations should take time to invest in security awareness and training so that they can be better-prepared to identify and report any suspicious activity.”
Ed Macnair, CEO of Censornet, argued that in failing to mitigate the risk of phishing, the Texas school district also potentially exposed its 10,000 pupils to data theft.
“There is no doubt about the importance of training employees to recognize these modern phishing techniques. Unfortunately, emotions often take over from reason in these situations and no amount of training can account for this,” he added.
“Employee awareness therefore needs to be combined with a robust, multi-layered approach to email security. Traditional pattern matching technologies are useless against modern techniques and organizations need to combine algorithmic analysis, threat intelligence and executive name checking to efficiently protect themselves.”