Phishing Scams Spreading at Schools — How to stay safe (Part 2 of 2)

Part two: How to Spot (and Stop) Phishing Emails

Phishing scams are hitting schools like ours more often. These emails may look real, but their goal is always the same: to steal your password, take over your account, or even trick you into sending money. Here’s what to look for — and what to do if you get caught.

How the Scam Works

  • 📧 You get an email that looks like it’s from a school leader, board member, or colleague.

  • ⚠️ The message pushes you to review or sign a document right away.

  • 🔗 The link takes you to a fake login page made to look like Google, Dropbox, or another trusted site.

  • 🔑 If you enter your password (and even one-time-use or “multi-factor” code), the criminal now has control of your account — sometimes instantly.

Red Flags to Watch For

  • 👤 Sender — Do you recognize them? Were you expecting this email?

  • ⚠️ Urgency/Authority — Messages that say “Sign this right now” or claim the Head of School “needs this today.”

  • 🔗 Links — Hover before you click. Fake links often have random characters or strange domains.

  • ✍️ Odd formatting — Poor grammar, unusual fonts, or structure that feels off.

Examples of Recent Scams:

Step 1 — The Fake Email
You get a message that looks like it’s from a leader or colleague. It asks you to “Review Document” or take urgent action.

👉 Red flags: Unexpected sender, urgent tone, and a button that hides the true link.


Step 2 — The Fake Login Flow
Clicking the link takes you to a site that feels “normal” — you may even see a captcha screen first. Then you land on what looks exactly like the Google login page.

The phishing scam will then continue to a fake captcha challenge:

Step 3 — The Compromise

If you type your email, password, and code, the attacker now has your credentials. You might even be passed back to a real Google page, so nothing seems wrong

👉 What’s really happening: The criminal is signing into your account at the same time, right after you see the fake “Welcome” page.

Behind the scenes:
If all fields are entered correctly, the account has been compromised. What’s happening is that the attacker records your credentials, then forwards them to Google. You end up back on the real Google site — but within a minute, the attacker is also logged in to your account on their device.


Spotting Phishy Behavior (Quick Checklist)

In the email itself

  • 👤 Sender: Do you know them? Were you expecting this?

  • ⚠️ Urgency/Authority: Pressure to act immediately (e.g., “needs this today”)

  • 🔗 Links: Hover first; check if the address matches what it claims

  • ✍️ Weird formatting: Strange fonts, grammar errors, or layout that feels off

On the web page (if you clicked)

  • 🧭 Page title: Does the tab title make sense, or is it vague/nonsense?

  • 🌐 URL/domain: Real services use familiar domains; look-alikes often contain random characters

  • 🧩 Captcha/redirect oddities: “Redirects” or captcha screens that don’t look like the real service

Rule of thumb: If anything feels off, don’t click and don’t enter credentials. Report it right away.


🆘 If You Already Clicked

Don’t panic — and don’t be embarrassed. These scams are designed to fool even careful people. Act quickly:

  1. 📞 Contact your IT support team immediately — they can reset your account and stop further damage.

  2. 🛑 Close the suspicious page and stop using the link.

  3. 📝 Tell support what happened — when you clicked, what you entered, and what you saw. This helps protect your account faster.

⚠️ Why This Matters

When criminals succeed, the damage can spread quickly:

  • 💰 Money — stolen cards, bank access, intercepted payments; sometimes even ransomware.

  • 🤫 Passwords & data — stolen login credentials and access to sensitive records.

  • ✉️ Forwarding the attack — your account can be used to target colleagues, friends, and family.

By spotting phishing emails, you’re protecting yourself and your whole community.

📣 How to Report Phishing

  • 🐟 Use the “PhishER” fish hook in your mail toolbar (if available)

  • ✉️ Forward the message to your school’s IT support team (include full headers if possible)

  • 📞 Call your IT support or OunceIT directly

Tip: When in doubt, report it. It’s always better to check a false alarm than respond to a compromise.

🙋 Need Help?

For questions, concerns, or proactive training:

  • Contact your school’s IT support team

  • Or reach out to OunceIT directly!