The Attack Method

A phishing campaign targeting educational institutions used deceptively simple tactics to defraud school staff. Scammers created Gmail accounts that mimicked the names of school leaders, then sent messages with urgency-inducing subject lines like "Follow up" or "Are you Available?" asking recipients to reply quickly.

Once a staff member responded, the attacker would claim to be in a meeting and unable to talk, then request a $200 or $300 gift card from Amazon or iTunes. The simplicity of the attack is what makes it effective -- people still fall for it, especially on mobile devices where seeing the real email address is not as easy.

Email Formats Used

The criminals used several email format variations to impersonate school administrators:

• headofschoolSCHOOLNAME@gmail.com
• principal.SCHOOLNAME@gmail.com
• headofschoolRANDOMNUMBER@gmail.com

There were documented instances of staff members losing hundreds of dollars, including one case where an employee sent $100 in iTunes gift cards before realizing the request was fraudulent.

Immediate Technical Measures

Schools can take immediate action through their email providers by creating blacklist rules that block incoming messages containing patterns like:

• Addresses containing "headofschool" from Gmail
• Addresses matching "schoolname@gmail.com" patterns
• Addresses containing "principal" from Gmail domains

Long-Term Protection

For long-term protection, organizations should invest in DNS filtering and phishing awareness training programs. Understanding how DNS works can also help. Tools like Duo Insights and KnowBe4 provide simulated phishing exercises that train staff to recognize and report suspicious emails.

The key lesson is that phishing attacks do not require sophisticated technology. Social engineering that exploits trust and authority relationships remains one of the most effective attack vectors, and education is the strongest defense against it.