The type of phishing attack we have been experiencing is defined as CEO fraud, “a scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee” (KnowBe4, 2020). In our case as a school district, attackers have masqueraded as principals and other administrators since we don’t generally have CEOs in education.
We are working hard in the Department of Technology and Innovation to prevent attacks through systems, mitigate the attacks that do occur, and most importantly, provide training to prevent cyberattacks from moving forward. When I decided to become a teacher back in the early 1990s, I fully expected my career to include regular and continuous professional development, but I never expected Cybersecurity Awareness to be among the topics for which I would get training! Unfortunately, our current world includes these types of attacks not just in education, but in nearly every organization and industry.
Thankfully, the most recent Barrington 220 attacks were mostly unsuccessful because our employees noticed the signs of an attack and did not follow the requests of the attacker—but time was lost in dealing with these issues. However, one attack did yield what I would call a “textbook case” of CEO Fraud that I will take great delight in sharing here to hopefully thwart future cyberattacks of this nature from occurring again.
Here’s how the situation went down—but first, some context. This particular attack occurred among many staff members at three schools simultaneously. In this example, all names have been changed to ensure anonymity. I have changed the principal's name to "Pat Principal," and the staff member's name to "Sam Staff," but real names were used in the attack.
Before the attack, the attacker did some homework and made some preparations: they used the district website to research our schools, found the name of the school's principal, and then used the online directory to find as many school staff member email addresses as possible. The attacker then went to gmail.com and created the email account patprincipal@gmail.com to impersonate the principal (they used the principal's real name to make the attack as believable as possible). The attacker also had a set of emails written with a story that would unfold over several messages, a story they have likely used hundreds of times before.
The first part of the attack was for the perpetrator to log in to the fake patprincipal@gmail.com they had just created and send a simple email to each of the school emails they had collected:
EMAIL FROM ATTACKER
From: Pat Principal <patprincipal@gmail.com>
Date: Mon, Feb 17, 2020 at 5:51 AM
To: Sam Staff <sstaff@barrington220.org>
Are you available?
Then the attacker waited for potential victims to respond. As with all attacks, there will be “red flags” which will be highlighted here.
RED FLAGS
- The address is NOT a district email address ending in @barrington220.org, and it does not follow the district email account format (it uses the full staff member's name).
- The attacker wasn’t aware that they were attacking a school on Presidents’ Day—a day that school is usually not in session in the United States. While not all attacks strike on a non-school day, this one did and added this additional red flag.
- The attack began at 5:51 AM, a somewhat unlikely time for a principal to be emailing staff members, especially with the request that will ensue.
POTENTIAL VICTIM'S RESPONSE
From: Sam Staff <sstaff@barrington220.org>
Date: Mon, Feb 17, 2020 at 7:35 AM
To: Pat Principal <patprincipal@gmail.com>
Good morning Pat, am I available to do what?
Although the attacker emailed most of the school's staff, they only needed one (or more) potential victims to respond. The attacker continued just five minutes later...
EMAIL FROM ATTACKER
From: Pat Principal <patprincipal@gmail.com>
Date: Mon, Feb 17, 2020 at 7:40 AM
To: Sam Staff <sstaff@barrington220.org>
I'm in a meeting right now that's why i'm contacting you through here. I should have call you instead of mailing you but phones are not allowed to be use during meeting. I don't know when the meeting will be rounding up and i want you to help me out on something very important right away,can you?
Now the attacker goes to work to attempt to get the potential victim to do something: give them a username or password, ask them to download something to get control of a computer system, or in this case, try to get money or another form of payment.
RED FLAGS
- It took the potential victim over an hour to respond, but the attacker ignored that and responded just five minutes later and went on with the ruse.
- The email is written in non-standard English. Notice that “i’m” and “i” are not capitalized and a few expressions are not quite right—“i’m contacting you through here,” “I should have call you instead of mailing,” “phones are not allowed to be use during meeting,” “when the meeting will be rounding up.”
- The context of the email is also questionable—the principal is in a meeting at 7:40 AM on a non-school day and phones are not allowed to be used.
POTENTIAL VICTIM'S RESPONSE
From: Sam Staff <sstaff@barrington220.org>
Date: Mon, Feb 17, 2020 at 7:54 AM
To: Pat Principal <patprincipal@gmail.com>
Yes, of course
This is likely the response the attacker was hoping to get. Now the attacker will reveal the real purpose of the attack.
EMAIL FROM ATTACKER
From: Pat Principal <patprincipal@gmail.com>
Date: Mon, Feb 17, 2020 at 7:55 AM
To: Sam Staff <sstaff@barrington220.org>
Can you help me get a Amazon gift card from the store right now? I will surely REIMBURSE you back today once I'm done with the meeting.
So now we know what the attacker wants: cash through a gift card. Notice they are using another tactic to convey trust—they will “surely REIMBURSE you back today.” The attacker must believe that capitalizing REIMBURSE somehow makes the unlikely request more plausible. They also have not yet specifically revealed the exact request, making another email exchange necessary to further build trust.
RED FLAGS
- Again, the email message contains minor language usage issues.
- The attacker creates urgency using the phrase “right now.”
- The attacker, posing as the principal, is asking a staff member to purchase a gift card before 8AM on Presidents’ Day.
POTENTIAL VICTIM'S RESPONSE
From: Sam Staff <sstaff@barrington220.org>
Date: Mon, Feb 17, 2020 at 7:59 AM
To: Pat Principal <patprincipal@gmail.com>
How much money do you want to spend? Should I bring it to you?
The attacker must believe that they have the spear phishing victim on the hook. The attack continues...
EMAIL FROM ATTACKER
From: Pat Principal <patprincipal@gmail.com>
Date: Mon, Feb 17, 2020 at 8:01 AM
To: Sam Staff <sstaff@barrington220.org>
Thanks. The amount i want is $100 in seven (7) pieces so that will make it a total of $700 l'll be reimbursing back to you. I need physical cards which you are going to get from the store. When you get them just scratch it take a picture of them and send it to me here ok. Let me know if you can help me with that amount right away plus I will get the cards from you after the meeting but i need the pictures first
$700?! Seriously?! The message reads like a ransom note, even though the attacker has nothing to bargain. The attacker is hoping that they have built enough trust over the last seven exchanges to get the potential victim to buy the gift cards, scratch off the codes (making a gift card as good as cash), and send the photos so they can be immediately redeemed. Nice touch to add that they will get the cards in person after the meeting...on Presidents’ Day when school is not in session.
RED FLAGS
- The attacker is asking for $700 to be sent in gift cards. That’s a big red flag.
- The language used in the message continues to be non-standard English with lowercase “i,” misused expressions, and improper punctuation throughout.
- The attacker also continues the urgency angle, saying they need the gift cards “right away.”
- They remind the potential victim that they will get reimbursed.
EMAIL FROM ATTACKER
From: Pat Principal <patprincipal@gmail.com>
Date: Mon, Feb 17, 2020 at 8:17 AM
To: Sam Staff <sstaff@barrington220.org>
Have you gotten them?
EMAIL FROM ATTACKER
From: Pat Principal <patprincipal@gmail.com>
Date: Mon, Feb 17, 2020 at 9:49 AM
To: Sam Staff <sstaff@barrington220.org>
Have you gotten them?
Luckily, this potential attack did not get carried out, but it did go on for nine email exchanges. To be fair, this school had not yet had their formal Security Awareness training, but the staff member still realized that the request was not right.
This spear phishing attempt, and others like it, prey on a school staff member’s willingness to be helpful and to work with their supervisor or other school leader. After all, most of us entered the education profession to be helpful and positively impact the lives of others. The attacker here tried many tactics to turn these attributes against the potential victim, but ultimately failed. These types of cybersecurity attacks are on the rise, but we can work together to avoid them.
If you believe you are involved in a potential cyberattack, you have several options:
- Contact the Barrington 220 Tech Support team at x.1500.
- Check with the administrator allegedly sending the email in person, via @barrington220.org email, or using a Barrington 220 phone extension. Do not reply to a questionable email or call a phone number listed in a questionable email. In general, Barrington 220 administrators will NEVER ask you to make mysterious purchases with your own cash or credit card, EVER.
- Use the Report Phishing feature in Gmail. The Barrington 220 Tech Team system administrator, Russ Vander Mey, receives these alerts immediately:
We take these threats very seriously and usually go to work to mitigate an attack within moments of receiving an alert.