Targeting K-12 Educators

What Phishing Scams Target Teachers and School Staff?

Phishing attacks targeting teachers and school staff fall into six recurring categories: payroll direct deposit fraud, superintendent impersonation gift card scams, W-2 tax data requests, fake IT helpdesk credential harvesting, spoofed parent or student emails, and fraudulent state education department notifications. Each scenario exploits specific trust relationships and time pressures unique to K-12 environments. These are not adapted versions of corporate phishing lures. They are designed from the ground up around the workflows, authority structures, and communication patterns that define how schools operate day to day.

‍

Why Educators Are a High-Value Target

School staff manage sensitive student records, hold district network access, process payroll, and handle budget transactions. They do all of this from inboxes that absorb dozens of messages per day during the school year, often without time to verify whether an email is legitimate. Cybercriminals design phishing lures around the rhythms, relationships, and trust structures of K-12 schools: the authority of a superintendent, the urgency of a state compliance deadline, the familiarity of a parent email.

The Consortium for School Networking reports that more than 90% of cyberattacks in schools start with phishing campaigns, including spear phishing and business email compromise attacks. When a phishing attack succeeds, the compromised account does not just expose the individual. Attackers routinely use compromised staff accounts to send phishing messages that bypass district security filters entirely, because the messages originate from a trusted, internal address. Understanding what phishing simulation is and how it works is the first step toward building defenses against these threats.

‍

Scenario 1: The Payroll Direct Deposit Redirect

A staff member receives an email appearing to come from the district HR or payroll department, claiming there is an issue with their direct deposit and asking them to log in to the district portal to update banking information. The link leads to a convincing replica of the real portal. The attacker captures the staff member's credentials and, in some variants, contacts the payroll department directly, posing as the employee, to submit a direct deposit change that redirects future paychecks to an attacker-controlled account.

The NJCCIC has documented multiple direct deposit scam reports primarily targeting educational institutions, noting that threat actors research organizations, impersonate employees using display name spoofing, and email payroll or HR departments to request direct deposit changes. In some cases, attackers compromise an employee's actual email account to avoid suspicion. The NJCCIC advises implementing strict verification processes including verbal or in-person confirmation before processing any direct deposit change.

Red flags to train for:

• Unexpected requests to update banking information via email
• Links leading to URLs that do not match the district's official domain
• Urgency language around a "pending payroll issue" or "immediate action required"
• Requests that bypass established verification procedures such as voided check requirements or in-person confirmation
  ‍

Scenario 2: The Superintendent Gift Card Request

A staff member, often an administrative assistant or school secretary, receives a text or email that appears to be from the superintendent or principal. The message is brief: "I am in a meeting and cannot talk. I need you to grab some gift cards for a staff recognition event. Can you handle this and I will reimburse you?" The staff member purchases the gift cards and sends back the redemption codes. The money is gone immediately and irrecoverably.

This scam exploits the culture of schools specifically. Staff trust their principals and superintendents. They want to be responsive and helpful. "Staff recognition" is something schools genuinely do, so the request feels plausible until it is too late. The U.S. Department of Education's Privacy Technical Assistance Center has specifically flagged that phishing attacks against school districts frequently begin with an email purporting to be from a highly placed executive such as the superintendent.

Red flags to train for:

• Requests from a personal email address or one with a subtle misspelling of the sender's name
• Instructions to keep the request confidential or act immediately
• Gift cards are never a legitimate payment method for school purchases
• No phone verification or secondary confirmation channel offered
  ‍

Scenario 3: The Fake IT Helpdesk Account Suspension

A teacher receives an email from what appears to be the district IT department. The subject line warns that their Google or Microsoft account will be suspended unless they verify their login within 24 hours. The link leads to a fake login page. The teacher enters their district credentials, and the attacker gains access to that account, often using it within minutes to send phishing messages to colleagues, parents, and students from a trusted, internal address.

At Carlmont High School in San Mateo, California, a business teacher's account was compromised through phishing. The attacker then used that account to send phishing emails posing as job offers to the teacher's students. The school's site technology manager confirmed that phishing spreads through compromised accounts because messages come from someone the recipient trusts. Phishing attacks have been on the rise throughout the Bay Area, with the director of technology for the Belmont-Redwood Shores School District noting a significant increase in compromised accounts starting around December 2024.

Red flags to train for:

• Urgent account suspension warnings with tight deadlines
• Generic greetings ("Dear User") rather than the staff member's actual name
• Link URLs that do not match official Google, Microsoft, or district domains
• District IT teams rarely send urgent account warnings via email without prior communication through other channels
  ‍

Scenario 4: The W-2 Tax Data Harvest

During tax season, a district's business manager or HR coordinator receives a brief email appearing to come from the superintendent: "We need to compile W-2s for all staff ahead of the state audit. Can you send me the W-2 file for all staff by end of day?" If the recipient complies, the attacker holds names, Social Security numbers, home addresses, and salary information for every staff member in the district. That data is used immediately to file fraudulent tax returns.

The U.S. Department of Education's Privacy Technical Assistance Center issued a specific warning on this pattern, noting that W-2 phishing attacks on school districts typically involve an email purporting to be from the superintendent, sent directly to whoever handles staff tax records. The IRS has also flagged this scam type and requests that recipients forward the email to phishing@irs.gov with the subject "W2 Scam." The critical distinction with this scenario: there is no malicious link to click. The entire attack lives in the reply.

Red flags to train for:

• Bulk W-2 or personnel record requests arriving via email, especially from leadership
• Same-day deadlines on sensitive data requests
• No phone or in-person verification for transfers involving Social Security numbers
• Any request for Social Security numbers via email, regardless of the apparent sender
  ‍

Scenario 5: The Spoofed Parent or Student Email

A teacher receives an email appearing to be from a parent or student: "My child was absent and submitted their assignment. Can you check their grade?" or "I cannot log in to the parent portal. Can you reset my credentials?" The email contains a link or attachment. The link leads to a credential harvesting page or triggers a malware download. In some variants, a "student" sends a link to a shared document for the teacher to review.

Teachers communicate with parents and students constantly, so a message from a parent does not raise an immediate flag. The request is entirely believable, and teachers routinely open links and documents that students share as part of normal classroom workflow. Education Week (February 2026) reported on documented incidents in Kentucky where students crafted phishing emails as part of a cybersecurity class project, and 29 out of 164 staff members clicked the link, demonstrating how easily school staff fall for messages that mimic internal communication patterns.

Red flags to train for:

• Links leading to external file-sharing sites rather than district-approved platforms
• Unfamiliar email domains, such as a Gmail address instead of the district's parent portal domain
• Any request to log in or verify credentials via a link embedded in an email
  ‍

Scenario 6: The Fraudulent State Education Department Notification

A curriculum director, principal, or district administrator receives a polished email purportedly from the state Department of Education, claiming a compliance report is due and asking the recipient to log in to a state reporting portal. The link leads to a spoofed login page designed to harvest credentials. In some variants, the email includes an attachment disguised as a compliance form that installs malware when opened.

State compliance deadlines are real, recurring, and stressful for district administrators. The email matches the visual language and professional tone of actual state communications. The NJCCIC documented a spearphishing campaign targeting the education sector that masqueraded as New Jersey state compliance training. In that campaign, a compromised school district employee account was used to send fraudulent training compliance notifications, and the emails contained urgency language designed to pressure recipients into immediate action.

Red flags to train for:

• State agency URLs that do not exactly match official government domains (for example, .com or .org instead of .gov)
• Unexpected new login portals that do not match platforms the district already uses
• Attachments in .exe, .zip, or other unexpected file formats
• Cross-checking any compliance deadline email against the district's known reporting calendar before clicking
  ‍

The Common Thread Across All Six Scenarios

Every phishing scenario targeting K-12 educators exploits the same core vulnerabilities in the school environment: authority and trust (attackers impersonate superintendents, IT departments, state agencies, and parents), time pressure (educators have no margin to stop and verify), familiarity with real processes (each scenario maps precisely onto something that genuinely happens in schools), and limited IT support (there is rarely someone to call for a quick verification before clicking).

This is exactly why generic cybersecurity training fails in K-12 settings. Training built on corporate scenarios, such as invoice approvals, vendor contract requests, and executive wire transfers, does not prepare staff for the lures they actually receive. The scenarios have to match the environment. A structured phishing simulation program uses these real-world K-12 lures as the foundation for training, not recycled enterprise templates.

‍

How Simulation Training Builds Pattern Recognition Where It Matters

Knowing these scenarios exist is not enough. Staff need to experience them in a controlled environment: receiving a simulated payroll redirect, a fake superintendent gift card text, a spoofed state compliance email. When the training mirrors the actual threat landscape, staff build pattern recognition through realistic, school-specific scenarios followed immediately by brief feedback that explains what happened and why.

The difference between generic corporate training and K-12-specific simulation is whether staff recognize the real attack when it arrives in their inbox. A teacher who has seen a fake superintendent gift card request in a simulation will recognize the real one before the codes are sent. Tracking the right metrics after simulation training confirms whether pattern recognition is actually improving across the district.

For a comprehensive overview of how simulation training works in K-12, including how these scenarios are adapted into controlled training exercises, see The Complete Guide to Phishing Simulation Training for K-12 Schools.

‍

Frequently Asked Questions

What is the most common phishing attack in schools?

The most common phishing attacks in K-12 schools are business email compromise scams, particularly superintendent or principal impersonation emails requesting gift card purchases, direct deposit changes, or sensitive data like W-2 records. The Consortium for School Networking reports that more than 90% of cyberattacks in schools begin with phishing campaigns. Credential harvesting through fake IT helpdesk emails is also widespread, because compromised accounts enable attackers to send further phishing from trusted internal addresses.

How can teachers identify a phishing email?

Teachers should verify the sender's actual email address (not just the display name), watch for urgency language designed to pressure immediate action, hover over links to check whether URLs match official district or government domains, and treat any email requesting credentials, financial changes, or sensitive data as suspicious until verified through a separate communication channel such as a phone call. If something feels unusual, report it to the district IT team before clicking.

Why do phishing attacks target schools specifically?

Schools hold large volumes of sensitive data (student records, Social Security numbers, health information, financial records) while typically operating with limited IT budgets and staff. The culture of trust and openness in education makes staff more likely to respond to requests from apparent authority figures without verification. Attackers know that district staff are time-pressured and that many schools lack dedicated security teams to catch compromises quickly.

‍

See which of these scenarios your staff would recognize today. Run your free phishing assessment in 15 minutes, with no commitment and no credit card.

‍