This is the first of a two-part blog.

Email Exchange:
Boss: “Hey, do you have a second?”
You: “Sure, what’s up?”
Boss: “Can you send me your cell number? I’ve changed my phone and need to text you.”
It’s your boss, or so it seems. Without hesitation, you respond, “Sure, boss. It’s 999-999-XXXX.”
Text Message to 999-999-XXXX:
“I’m tied up in meetings all day and totally slipped on getting gift cards for our staff. Could you handle that for me quickly?”

firmbee com spvhcbuki6e unsplashAnd you’re off, off the network, that is. The scammers might ask for personal or business information, or they could instruct you to purchase gift cards and send them the codes. Users typically fall for these sophisticated traps in less than 60 seconds (Verizon 2024). In fact, according to CISA, 84% of employees who take the bait do so within the first 10 minutes (CISA, 2023).

The Evolving Landscape of Cyber Threats
For K-12 technology directors, the landscape of cyber threats is evolving at an alarming pace. Despite school systems’ typically limited budgets, scammers remain undeterred. They know that insurance companies might pay ransoms, student PII data is valuable on the dark web, and W-2 information can be manipulated for fraudulent gains. As guardians of educational and personal data, K-12 technology directors face an uphill battle in protecting their systems and communities from these relentless threats.

Not long ago, spotting a phishing attempt was as easy as noting an unsolicited email’s awkward grammar and spelling mistakes, just like those old posters still hanging in many break rooms remind us. Think of those email messages from a distant relative you never knew existed, spewed with mangled words, promising untold riches if you could just wire them $500 to unlock your inheritance. The advent of generative AI has made these attempts far more convincing, producing text, images, audio, and video that are virtually indistinguishable from genuine content and making social engineering attempts increasingly difficult to detect.

People are at the Heart of Security
Even with all the safeguards in place—such as endpoint protection, firewalls, and regular security patches—people remain the heart of the organization and its biggest risk. Human nature and emotions play a significant role, as trust, urgency, and fear can easily cloud judgment and lead to mistakes.

Social engineering is the low-hanging fruit of cyberattacks; it’s cheap and effective. According to the 2024 Data Breach Investigations Report by Verizon, 68% of all breaches involve a “non-malicious human element,” which includes mistakes like sending sensitive data to the wrong person or falling victim to a social engineering attack. This statistic underscores the significant role human error plays in security breaches. Generative AI has only magnified this risk, creating more sophisticated and convincing phishing attempts and making it even easier for scammers to exploit human vulnerabilities.

bermix studio bcrm2e1m0a4 unsplashEmerging Threats: New Tricks from Nefarious Ne’er-do-wells
Cybercriminals are getting craftier by the day, using more sophisticated methods to deceive their targets. Today’s game-changer is generative AI, which perfects grammar and spelling and can even create entire social engineering campaigns.

Hybrid Phishing, Smishing, and Vishing (a lot of ishings)
Hybrid phishing attacks are also on the rise, just like the conversation at the beginning of this blog. It can start with an email asking for a text number where scammers ask for personal information, such as cellphone numbers, to conduct either an SMS text-based conversation (smishing) or a voice-based conversation (vishing) (CISA, 2023). In either case, it happens outside the network and outside your control. One sneaky tactic involves sending pop-up security alerts from an infected website that appears to come from trusted sources, prompting users to take quick action. Often, this means calling a supposed support person who tricks them into allowing remote access to their computer.

AI or Not?
AI voice cloning is especially troubling. With generative AI, attackers can mimic a person’s voice with startling accuracy, impersonating trusted entities over the phone to extract sensitive information, money, or reputational damage. For instance, a school athletic director was arrested for allegedly using AI to impersonate the voice of a principal (NBC News, 2023).

Trusted Sources
Then, there are those seemingly legitimate emails from compromised accounts that contain shared documents via Google or Microsoft. The scammer creates a form designed to harvest credentials using the compromised account and then shares it with the user’s email contact list. These emails often appear authentic, coming from a known contact or public organization, which increases the likelihood of recipients trusting the message and providing their credentials.

Oldie but Goodie (with grammatic improvements)
And, of course, we can’t forget the tried-and-true email scam: “This is IT support. We’re migrating our email server and need you to click this link to reset your password.” The reset link goes to a form that guides users to enter their credentials, thinking it is a legitimate request.

These are but a small sample of tricks, supercharged by generative AI, that have become more convincing and dangerous. It’s crucial for K-12 technology directors to stay vigilant and keep their communities informed about these evolving threats.

But awareness is just the first step. In our next blog, we will delve deeper into effective communication strategies that can help protect our schools from these advanced threats.

AUTHOR: Doug Couture, CETL, Director of Technology Systems and Programs, South Windsor Public Schools (CT)

Published: September 4th, 2024

Blog #2: Tips for K-12 Technology Directors: Communication Strategies for Social Engineering Awareness

CoSN is vendor neutral and does not endorse products or services. Any mention of a specific solution is for contextual purposes.

cc by nc

References
Cybersecurity and Infrastructure Security Agency (CISA). (2023). Avoiding Social Engineering and Phishing Attacks. Retrieved from https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks
Cybersecurity and Infrastructure Security Agency (CISA). (2023). Phishing Infographic. Retrieved from https://www.cisa.gov/sites/default/files/2023-02/phishing-infographic-508c.pdf
MITRE ATT&CK Framework. Retrieved from
https://airc.nist.gov/docs/NIST.AI.600-1.GenAI-Profile.ipd.pdf
NBC News. (2023). School athletic director arrested for allegedly using AI to impersonate voice of principal. Retrieved from https://www.nbcnews.com/nightly-news/video/school-athletic-director-arrested-for-allegedly-using-a-i-to-impersonate-voice-of-principal-209726533596
Verizon. (2024, May 1). 2024 Data Breach Investigations Report: Vulnerability exploitation boom. Retrieved from https://www.verizon.com/about/news/2024-data-breach-investigations-report-vulnerability-exploitation-boom