get a quote

Phishing Crisis: A Step-by-Step Guide for School Districts & Nonprofits

In the age of digital communication, phishing attacks have emerged as one of the most common threats facing organizations. When the phishing attack impersonates your leadership, the threat becomes even more disconcerting. So, how do you handle a situation where your staff, students, or constituents receive deceptive emails pretending to be from your management?


Urgent: The First Few Hours

1. Immediate Identification: The first step is to acknowledge and validate the threat. IT teams should review the suspicious emails to understand the threat's magnitude.

2. Isolate and Contain: Block the sending email address and the linked malicious domain if any. Ensure that the affected accounts (if compromised) are temporarily disabled.

3. Initial Communication: Alert your staff and community about the incident. Encourage them to not click on any links or provide personal information and to report any suspicious emails they receive.


Important: The Next Few Days

1. Detailed Investigation: Dive deeper to understand the scope of the attack. Were any accounts compromised? Was any data accessed?

2. Update & Educate: Organize an emergency training session to educate staff on phishing. Use this incident as a real-world example to highlight the importance of vigilance.

3. Refined Communication: Send a detailed communication outlining the incident's specifics and steps taken to mitigate. Provide guidelines on identifying phishing attempts.


Essential: Long Term IT Changes

1. Multi-Factor Authentication: Ensure all staff accounts, especially leadership ones, use multi-factor authentication. This additional layer of security can prevent unauthorized account access.

2. Regular Security Audits: Periodically review your IT infrastructure for vulnerabilities. Keep all systems and software updated.

3. Ongoing Training: Phishing methods evolve. Regular training sessions will keep staff aware of the latest threats and safe practices.


Best Practices for Communication:

1. Phone Messaging: For urgent alerts, consider using automated phone systems to alert staff. Clear and concise instructions are vital. Example: "We've identified a phishing threat. Please avoid clicking links in emails from leadership until further notice."

2. Email Messaging: Use a different medium (e.g., official website announcement) to confirm the legitimacy of the email alert. Be detailed but avoid unnecessary jargon. Clearly mark actions that the recipient should take.


Remember, in the face of phishing, prompt action coupled with clear communication can minimize the damage and protect your organization's data and reputation. Staying prepared and educated is your best defense.