Kyanite Blue
Threat Intelligence

Phishing Targeting School Staff and Students: Threats, Tactics and How to Defend Against Them

Phishing is the dominant initial access vector for cyberattacks on UK education institutions. JISC threat reports consistently identify phishing — particularly credential-harvesting attacks targeting staff Office 365 and Google Workspace accounts — as the most common method attackers use to gain their first foothold in school and university networks. From there, attackers move laterally, escalate privileges, and ultimately deploy ransomware or exfiltrate data. A single compromised staff email account is frequently all it takes to begin an attack that takes a school offline for weeks.

JISC identifies phishing as the dominant initial access vector for cyberattacks on UK universities and colleges — credential theft from staff accounts is the most common entry point.

How Phishing Attacks Target Schools

Phishing attacks on education institutions typically take several forms:

  • Credential harvesting: fake Office 365 or Google Workspace login pages sent via email, harvesting staff passwords
  • Malicious attachments: malware-laden Word documents or PDFs disguised as term reports, OFSTED letters, or HR communications
  • Spear phishing: targeted attacks on specific staff — finance officers, IT administrators, headteachers — using personalised information
  • Impersonation: emails appearing to come from the headteacher, DfE, or a supplier requesting urgent action
  • Student account targeting: phishing campaigns targeting student email accounts for credential theft or fraud enablement

Business Email Compromise in Education

Business email compromise (BEC) — where attackers use a compromised or spoofed email account to authorise fraudulent payments — is an increasing threat in education. Finance officers are targeted with urgent payment requests appearing to come from headteachers or trust finance directors. Schools have lost tens of thousands of pounds to BEC fraud where invoice payment details were changed following a compromised supplier email account. MAT finance teams are particularly targeted, as they process significant payments to contractors, EdTech vendors, and local authority services. The Harris Federation and other large MATs have been specific targets for BEC-style fraud attempts.

Technical Defences Against Phishing

The most effective technical controls against phishing in an education environment are:

  • MFA on all staff accounts — prevents credential theft from being usable even if passwords are compromised
  • Email filtering with anti-phishing detection — block malicious URLs, attachments, and spoofed senders
  • DMARC, DKIM, and SPF email authentication — prevent spoofing of the school's own domain
  • Safe Links and Safe Attachments (Microsoft 365 Defender) — scan links and attachments at time of click
  • External email banners — flag emails originating from outside the school's domain
  • Web filtering — block access to known malicious and phishing domains

Staff Security Awareness Training

Technical controls alone cannot prevent all phishing attacks. Staff security awareness training — teaching staff to recognise phishing emails, verify unexpected requests, and report suspicious messages — is an essential complement to technical defences. The DfE standards require security awareness training, and the NCSC offers free training materials through its eLearning platform. Simulated phishing exercises — sending test phishing emails to staff and measuring click rates — provide valuable data on training effectiveness and help identify staff who need additional support. Annual training combined with quarterly simulated exercises is considered best practice.

Frequently Asked Questions

How does MFA protect against phishing in schools?

MFA means that even if an attacker harvests a staff member's password through a phishing attack, they cannot use that password alone to access the account. They also need the second factor — typically a code from an authenticator app or a notification to a registered device. This single control eliminates the vast majority of credential-based account takeovers. The NCSC rates MFA as one of the most effective cybersecurity controls available, and the DfE standards require it for all staff accounts.

What should a staff member do if they click a phishing link?

Do not enter any credentials if a login page appears. Immediately report the incident to the school's IT lead or IT support. Change your password if you have entered it anywhere. IT should check the account for any unauthorised access or rules changes (email forwarding rules are a common attacker tactic). The incident should be documented and assessed for whether a data breach notification to the ICO is required.

Are students a phishing risk in schools?

Yes — student accounts are increasingly targeted, both as entry points into school networks and for direct fraud. Students with access to school systems can have their accounts compromised and used for lateral movement. Additionally, students themselves may be the target of fraud — fake student loan communications, fake exam board notifications, or social media account compromises. Student security awareness should be part of the school's overall security programme.

Assess your school's phishing defences

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Coro

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides