- Manor Independent School District in Texas lost $2.3 million in an email phishing scam, according to a district press release.
- Three separate transactions occurred in November, which a district employee discovered and reported in December, according to a report by CBS Austin.
- The Federal Bureau of Investigations (FBI) and the Manor Police Department are investigating the incident. While the district said there are "strong leads," it's unclear whether it will recover the money. Experts say that the FBI sometimes recovers partial amounts, but in most cases, the money cannot be fully recovered.
While schools are increasingly becoming victim to cybercrime, scams involving this large amount of money is not something Doug Levin, a K-12 cybersecurity expert, said he "sees everyday." However, Levin points out that the nature of this specific phishing attack "has been repeated at school districts across the country and has been ongoing for years."
"It has resulted in some of the single largest-dollar-value scams affecting school districts," Levin told Education Dive, adding he has recorded at least a dozen similar attacks in his database since 2016, including a recent $3.7 million scam targeting Scott County Schools in Kentucky. "The pattern seems nearly identical."
In those cases, large deals between school districts and vendors were targeted by scams specifically engineered to change bank routing information.
In 2018, the Levin's K-12 Cybersecurity Resource Center logged 122 publicly disclosed cybersecurity incidents that affected 119 public school agencies in 38 states, or about one incident every three days. The most common type involved data breaches, with a little over half carried out or caused by staff or students and a little less than a quarter including a loss of control of K-12 data by school vendors or partners.
Student data was included in 60% of K-12 data breaches in 2018, while 46% included staff information, according to the center.
Other recent incidents include a scam in November 2018 targeting Crowley Independent School District, also in Texas, which lost nearly $2 million. A man who posed as an accountant for a district construction company vendor was caught and is facing charges, but the school has only recovered an unspecified portion of the money.
Confirming large transactions with vendors through different channels, Levin said, could prevent these kinds of incidents.
Other methods used to target districts include ransomware attacks, where school systems are asked to pay a ransom amount in exchange for stolen information, and identity theft. In addition to money lost, students often lose time from school as districts recovery. Recently an attack on the Houston County School District in Alabama delayed the start of schools for its 6,400 students.