Phishing Scams Spreading at Schools — How to stay safe (Part 2 of 2)

Part two: How to Spot (and Stop) Phishing Emails

Phishing scams are hitting schools like ours more often. These emails may look real, but their goal is always the same: to steal your password, take over your account, or even trick you into sending money. Here’s what to look for — and what to do if you get caught.

How the Scam Works

  • 📧 You get an email that looks like it’s from a school leader, board member, or colleague.

  • ⚠️ The message pushes you to review or sign a document right away.

  • 🔗 The link takes you to a fake login page made to look like Google, Dropbox, or another trusted site.

  • 🔑 If you enter your password (and even one-time-use or “multi-factor” code), the criminal now has control of your account — sometimes instantly.

Red Flags to Watch For

  • 👤 Sender — Do you recognize them? Were you expecting this email?

  • ⚠️ Urgency/Authority — Messages that say “Sign this right now” or claim the Head of School “needs this today.”

  • 🔗 Links — Hover before you click. Fake links often have random characters or strange domains.

  • ✍️ Odd formatting — Poor grammar, unusual fonts, or structure that feels off.

Examples of Recent Scams:

Step 1 — The Fake Email
You get a message that looks like it’s from a leader or colleague. It asks you to “Review Document” or take urgent action.

👉 Red flags: Unexpected sender, urgent tone, and a button that hides the true link.


Step 2 — The Fake Login Flow
Clicking the link takes you to a site that feels “normal” — you may even see a captcha screen first. Then you land on what looks exactly like the Google login page.

The phishing scam will then continue to a fake captcha challenge:

Step 3 — The Compromise

If you type your email, password, and code, the attacker now has your credentials. You might even be passed back to a real Google page, so nothing seems wrong

👉 What’s really happening: The criminal is signing into your account at the same time, right after you see the fake “Welcome” page.

Behind the scenes:
If all fields are entered correctly, the account has been compromised. What’s happening is that the attacker records your credentials, then forwards them to Google. You end up back on the real Google site — but within a minute, the attacker is also logged in to your account on their device.


Spotting Phishy Behavior (Quick Checklist)

In the email itself

  • 👤 Sender: Do you know them? Were you expecting this?

  • ⚠️ Urgency/Authority: Pressure to act immediately (e.g., “needs this today”)

  • 🔗 Links: Hover first; check if the address matches what it claims

  • ✍️ Weird formatting: Strange fonts, grammar errors, or layout that feels off

On the web page (if you clicked)

  • 🧭 Page title: Does the tab title make sense, or is it vague/nonsense?

  • 🌐 URL/domain: Real services use familiar domains; look-alikes often contain random characters

  • 🧩 Captcha/redirect oddities: “Redirects” or captcha screens that don’t look like the real service

Rule of thumb: If anything feels off, don’t click and don’t enter credentials. Report it right away.


🆘 If You Already Clicked

Don’t panic — and don’t be embarrassed. These scams are designed to fool even careful people. Act quickly:

  1. 📞 Contact your IT support team immediately — they can reset your account and stop further damage.

  2. 🛑 Close the suspicious page and stop using the link.

  3. 📝 Tell support what happened — when you clicked, what you entered, and what you saw. This helps protect your account faster.

⚠️ Why This Matters

When criminals succeed, the damage can spread quickly:

  • 💰 Money — stolen cards, bank access, intercepted payments; sometimes even ransomware.

  • 🤫 Passwords & data — stolen login credentials and access to sensitive records.

  • ✉️ Forwarding the attack — your account can be used to target colleagues, friends, and family.

By spotting phishing emails, you’re protecting yourself and your whole community.

📣 How to Report Phishing

  • 🐟 Use the “PhishER” fish hook in your mail toolbar (if available)

  • ✉️ Forward the message to your school’s IT support team (include full headers if possible)

  • 📞 Call your IT support or OunceIT directly

Tip: When in doubt, report it. It’s always better to check a false alarm than respond to a compromise.

🙋 Need Help?

For questions, concerns, or proactive training:

  • Contact your school’s IT support team

  • Or reach out to OunceIT directly!

Phishing Scams Spreading at Schools — How to stay safe (Part 1 of 2)

Many other schools are currently being targeted by phishing scams that are spreading quickly. These emails look real — often pretending to be from the Head of School, CFO, Board Member, or even from a compromised colleague’s account. No matter the source, the goal is the same: to steal passwords, money, or sensitive data. Protecting yourself also protects the entire school community.

Criminals ramp up these attacks during busy times like the start of school, and we’re already seeing a rise in successful attempts. Here’s how to spot them, and how to react, before it’s too late:

✅ Three Quick Checks Before You Click

  • 👤 Sender: Do you know them? Were you expecting this email?

  • ⚠️ Urgency: Does it demand immediate action or sound unusual?

  • 🔗 Links: Hover before you click. Does the address look right?

🚫 If Something Feels Off

  • ⚠️ Don’t click: Don’t reply, don’t follow links, don’t open attachments, don’t enter your username, password, or one-time code.

  • 👤 Contact and confirm: Call or text the sender at a known good number (don’t reply to the email — the account may already be compromised).

  • 🗣️‼️ Report it: Leverage your school’s system for reporting phishing emails (e.g. click the “PhishER” fish hook if you have one) or forward the email to support.

🆘 If You Already Clicked

Contact OunceIT or your school’s IT support immediately. We will help secure your account. There’s no shame in reporting it quickly; these scams are designed to fool even careful people.

⚠️ The Risk if Scammers Succeed

  • 💰 Money: Phishers (criminals!) will swipe your credit card number, gain access to your bank account, or intercept a payment or money transfer. They may even be able to extort you or the school by ransoming your data! 

  • 🤫 Passwords and sensitive info: Phishers (criminals!) will obtain your passwords and access additional accounts, including accounts with sensitive information and financial records

  • ✉️ Forward the attack: Phishers (criminals!) will use your email account to attack your contacts including co-workers, friends, and family.

Please continue on to Part Two of this two-part post to see some specific examples of phishing emails that are currently circulating. Remember, criminals who are making these phishing attempts are improving daily, and their attempts are getting more insidious and difficult to identify!