Phishing attacks targeting schools have changed. They’re no longer limited to poorly written emails asking someone to “click here.” Today’s phishing messages are often well-designed, personalized, and delivered through multiple channels—email, text messages, phone calls, and QR codes posted on campus.

For superintendents, IT administrators, business offices, and campus leaders, phishing is more than an annoyance. A single successful attempt can lead to credential theft, fraudulent payments, data exposure, or ransomware disruption. The good news: schools can significantly reduce phishing risk with a combination of training, verification procedures, and identity/email controls.

Below are the modern tactics schools are seeing most—and practical steps to help staff spot them.

Why Schools Are Frequent Targets

Schools are attractive targets because they often have:

• Public-facing staff directories and vendor information
• High-volume communications with families, vendors, and community partners
• Busy seasons (testing, summer projects, back-to-school) when urgency feels normal
• Decentralized purchasing and approvals across campuses and departments
• Attackers take advantage of the pace: they don’t need every employee to click—just one.

What Phishing Looks Like in Schools Today

1) Business Email Compromise (BEC): Executive or Vendor Impersonation

BEC attacks mimic a superintendent, principal, business manager, or vendor. Many contain no links or attachments, making them harder for filters to detect.

Common examples in schools:

• • “I need you to purchase gift cards for staff recognition—reply when you can.”
  • “We changed our banking info—use the updated ACH details attached.”
  • “Can you pay this invoice today? We need it processed before close.”

Best defense: verification workflows for payments and account changes.

2) Fake Microsoft 365 / Google Login Pages (Credential Phishing)

These messages try to steal usernames and passwords using convincing “sign in to view” pages.

Common lures:

• • “Your password expires today”
  • “You have a new voicemail”
  • “Document shared with you”
  • “Mailbox storage exceeded”

Red flag: unexpected login prompts—especially when the message creates urgency.

3) Smishing & Vishing (Text and Phone)

Staff may receive texts about payroll, benefits, package deliveries, or “urgent account alerts.” Vishing calls may impersonate IT and ask staff to share an MFA code.

Reminder: IT should never ask an employee to provide their MFA code.

4) QR Code Phishing (“Quishing”)

QR codes are common in school settings (events, cafeterias, sign-ups, fundraisers). Attackers may post a QR code in a staff lounge or near a front desk labeled:

• • “Mandatory benefits update”
  • “New security training”
  • “Updated staff policies”

A scan can send users to a credential-harvesting site.

5) Reply-Chain Phishing (Compromised Accounts)

When an attacker gains access to a real mailbox, they may reply within an existing thread. Because it’s part of a real conversation, staff are more likely to trust it.

Fast Red Flags Staff Can Learn

Train staff to slow down when they see:

• Requests for money, gift cards, vendor payments, or banking changes
• Unusual urgency, secrecy, or “don’t call” language
• A sender address that’s close—but not exact (lookalike domains)
• Unexpected password reset or MFA prompts
• Links that don’t match the sender or message context
• Attachments that don’t make sense for the conversation
• QR codes posted in public/common areas without a clear, verified source

School-Ready Ways to Reduce Phishing Risk

1) Create a “Verify Out of Band” Rule for High-Risk Requests

Require verification using a known number from the school directory—not the email signature—before:

• • Wires/ACH payments
  • Vendor banking changes
  • Direct deposit changes
  • Requests for W-2s, payroll data, or large employee lists
  • Account/MFA changes

2) Make Reporting Easy (and Encourage It)

Staff should have a simple, consistent way to report suspicious messages:

• • “Report Phishing” button in email (if available)
  • Forward to a security mailbox
  • Submit a ticket

Promote a culture where reporting is praised—even if someone clicked.

3) Train All Year (Short and Specific)

Annual training isn’t enough. Consider monthly micro-training and short simulations focused on:

• • Superintendent impersonation
  • Vendor payment fraud
  • Fake login pages
  • QR code phishing
  • MFA/social engineering calls

4) Strengthen Email and Identity Controls

Work with IT or your managed service provider to confirm:

• • MFA on all staff accounts (especially email)
  • Conditional access/risky sign-in controls
  • Disable legacy authentication where possible
  • SPF, DKIM, and DMARC configured
  • Alerts for suspicious inbox rules and forwarding
  • Least privilege for finance/HR and shared mailboxes

Bottom Line

Phishing attacks are evolving, and schools are frequent targets. The best defense is layered: train staff to spot red flags, require verification for high-risk actions, and harden identity and email controls to reduce the chance one click becomes a major incident.

For more risk management resources, please contact an Insurance & Risk Management Advisor today.