[BreachExchange] Fake Phishing Email Irks Staff at Tacoma School District

Thu Dec 9 09:51:13 EST 2021

https://www.govtech.com/education/k-12/fake-phishing-email-irks-staff-at-tacoma-school-district

(TNS) — At first glimpse, the email seemed like good news: all employees
with Tacoma Public Schools are eligible for 20-50 percent discounts and
free shipping with Amazon for the months of November and December.

"To show our appreciation for all your efforts this year, Tacoma Public
Schools is partnering in a holiday discount program with Amazon," said the
email, sent Friday from what appeared to be district human resources.

It wasn't true.

The email was a fake, the district confirmed with The News Tribune on
Monday. It was sent by the district to its staff as part of an effort to
educate its workforce on phishing scams that can put the district's
security at risk.

"We have had an ongoing internal program of educating our workforce about
cybersecurity, password protection, and the risks of clicking on links in
phishing emails," district spokesperson Dan Voelpel said in an email on
Monday. "Part of that program involves sending periodic fake phishing
emails and tracking who clicks on them so that we can follow up with
reminders and explain how REAL phishing emails work and may look like
they're coming from legitimate sources."

The email upset some school employees, who say the it was harsh to send
during the holiday season when many people might be feeling financial
stress.

Tina Taylor, a teacher at Bryant Montessouri School in Tacoma, said she saw
the email circulating on social media before opening it in her inbox, so
she knew it was fake and didn't click on it. But the subject of the email —
promising a major discount during the holidays and a pandemic — was in poor
taste by the district, she said.

"There are lots of people who are working second and third jobs to make
ends meet and that could have made a difference," she said.

Ed Grassia, chief information officer for Tacoma Public Schools, sent a
letter to TPS employees on Tuesday explaining that during the holiday
season, TPS sees an increase in cyber attacks on its system.

"Please know that our intent is always to use these cyber security efforts
as a way to help educate you in a safe manner," Grassia said. "Personally,
I know how frustrating these can be and I want to work with you to learn to
protect yourselves and the district. After sending this phishing test, it
became clear to me that the subject matter and timing frustrated many
within the district. Please know that the intent of this phishing test and
any of our cybersecurity efforts is not to anger or upset anyone."

Tacoma Public Schools has a contract with KnowBe4, a company that provides
security awareness training to help people identify phishing emails. The
company has a portfolio of phishing email templates to select and customize
for TPS.

Phishing scams can help criminals not only steal identities and hack bank
accounts but also take over an organization's network. Phishing scams
soared since the start of the COVID-19 pandemic as many people worked from
home.

KnowBe4 states on its website that "Cyber crime is moving at light speed"
and that "organization of every size and type are at risk."

Voelpel said that 18.6 percent of recipients clicked on the link in the
fake email sent by Tacoma Public Schools last week. TPS employs more than
4,000 people. Clicking the link didn't harm anyone's computer, but a
message popped reminding users of the red flags of phishing emails.
Similarly, if users reported the email as a phishing attempt, they were
congratulated.

"KnowBe4 helps employees confront the fact that bad guys are trying to
trick them," according to KnowBe4's website. "Once they confront that, they
become aware and able to detect these scam emails and can take appropriate
action like deleting the email or not clicking a link."

Some Tacoma Public School employees felt tricked.

Linda Snyder, a nurse at Tacoma Public Schools, said it's the "lowest
thing" she's seen Tacoma Public Schools share during a holiday season.

>From nurses to paraeducators to nutrition services, the district has been
understaffed, and employees have been working extra hard to keep up.

"It is so rude," she said.

Companies across the country partake in the fake phishing emails in an
effort to teach their staff not to click on them. They haven't always been
received well by the people getting them, as was the case in September
2020, when an email to Tribune Publishing Company staff appearing to give
them a major holiday bonus turned out to be fake.

Grassia wrote in a recent internal story about the strategies scammers use
to trick people.

"...cybercriminals don't care whether or not something is appropriate or
how a user will feel or react when they get their email. They are counting
on hooking you with a relevant and timely subject so you don't even
question it, you just open and click," Grassia wrote.

Tacoma Public Schools has faced its own phishing scams costing thousands of
dollars. In 2018, a spreadsheet was opened in a phishing email that spread
to 1,800 computers and cost $100,000 to fix.

The district hopes the program educates people about the potential signs of
email signs: non-district email addresses, a sense of urgency in the email
and any grammar or spelling errors.

For some, like Taylor, the email wasn't right.

"They're freaking tone deaf," she said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211209/f01b5997/attachment.html>