Have you heard the one about the PTA and the FBI? While it may sound like the start of a joke, today no one is laughing. Parent-Teacher Associations (PTAs) across the country have recently become the target of email phishing scams leading to law enforcement involvement in many cases. But what is it that makes a PTA such an appealing target for cyber criminals, and how do the scams work?
What Are PTA Programs & What Do They Do?
First, a little background. The PTA was founded in 1897 to advocate for public education while giving families and educators a common voice. Today, there are over 23,000 PTAs within the United States, with typical meetings revolving around budgets, fundraising, school safety, and where to hold prom. Despite their large numbers, PTAs would not seem to be a target for cyber criminals—those guys are phishing for the big bucks, right? But that’s a common misconception that can give PTA members a false sense of security. Some PTAs operate annual budgets in the six figures, managing money designated to support teaching positions, the purchase of school supplies, and student trips and activities. For hackers, this is a potential goldmine; many PTA members may not be particularly tech savvy and don’t expect to be scammed, enabling cyber criminals to bulk them out of hundreds and even thousands of dollars.
Of course, the education arena is no stranger to phishing attacks—they just used to be focused on institutes of higher education (we’ll cover that topic in another story). While cyber criminals continue to have their way with universities, many are smartening up, leading hackers to look elsewhere. And so they set their sights on PTAs at every level, from kindergarten through high school.
How One School's PTA ALMOST Became A Phishing Victim
Here’s one story we recently heard, and it’s typical of how many PTA phishing scams go down.
It was the start of a new school year. The PTA board had just been formed, with “President Pam” and “Treasurer Tricia” stepping into their new roles. Of course, a new school year and a new board can make a PTA particularly vulnerable since members may not know one another—and scammers use this to their advantage. So, just a week into the school year, Tricia receives an email from Pam. It went something like this:
Hi Tricia, I’m super excited to work with you and am looking forward to a great year ahead! I want to kick things off the right way with a fundraiser. We’re going to raffle off iTunes cards so we can start growing our budget! I’d call you, but my phone is being fixed and I want to get the ball rolling ASAP. Can you purchase five iTunes cards—you can get them online—and email me the barcodes on the back. I’ll reimburse at the next meeting. Thanks!
Not knowing Pam well, and seeing that the email did indeed appear to come from her, Tricia didn’t think much of the request. However, she was about to board a plane and responded to Pam that she’d have to take care of it when she returned home. Pam wrote back, now with a greater sense of urgency. That caused Tricia to raise an eyebrow, and so she decided to call Pam despite being told her phone was in for repair. Surprise, surprise, Pam answered! And she was shocked to hear Tricia’s story and happy that the purchase of the cards never went down.
Unfortunately, not all phishing email stories have a happy ending, and money meant for educational activities is lost forever.
So how did the scammers operate out of Pam’s email account? They didn’t. They sent the email from their own account and simply changed the name label to Pam. That’s why it’s important to always look at the email address, and not just the sender’s name. Of course, most of us lead busy lives and receive dozens (or even hundreds) of emails a day, and can’t always be bothered to check every email we receive. Unsurprisingly for organizations linked to schools, phishing scam education has become a priority, requiring PTA members to attend a course, online or in person, which warns about the dangers of phishing emails and explains how to avoid becoming a victim. But these courses can be costly—and PTAs and schools need to focus their modest budgets on student-centric items.
How PTAs Can Avoid Phishing Scams
Rather than spend money on training that offers knowledge that erodes over time (the so-called human firewall for cybersecurity is quite fallible), smart anti-phishing services offer a better solution. An Anti-phishing service can learn legitimate patterns of communication activity within any organization, red-flagging emails that are truly unknown, suspicious, or malicious—and giving PTA members cause for pause. Smart anti-phishing services actually learn about an organization’s members and patterns of behavior and communication so that scammers can’t get through. In our story above, had Tricia been using an anti-phishing service, emails from the phony Pam would have been red-flagged and quarantined with no effort on her part.
Want to learn more about Clearedin’s phishing protection services? Speak with one of our experts and ask about our free trial. Contact Clearedin today—and keep your organization protected from phishing attacks!