SHP students suddenly lost access to their email after a phishing attack spread through hundreds of accounts on January 8 at 9:30 p.m. The next day following the attack, impacted students and faculty found their email passwords changed and the emails deleted from their inboxes. The phishing email was disguised as a party invitation that would either trick users into visiting a fraudulent website and entering login information or downloading a Windows file. When users clicked the link, the email would resend from compromised accounts.
“It was over 300 people that actually clicked on it, between faculty, staff and students,” says Mr. Sarn Saechao, Senior Systems Administrator at SHP. If someone clicked the link but did not interact further, the risk was minimal, and only about five total accounts (faculty and staff) were fully compromised. The tech team at the Prep worked incredibly hard that evening to prevent further propagation of the email. As Dr. Lopez, Chief Technology Officer at SHP, describes, “Mr. Saechao was up all night long… What he had to do was find out every person who had clicked on it. He changed every one of those passwords… deleted all of those Paperless Post emails… reset everybody’s cookies… and printed out all of those passwords for every single student.”
While rare, these successful attacks are taken very seriously. As Mr. Saechao describes, “there is a form. It’s called an IC3, and it’s a form that you fill out whenever anything like this happens to let them know that an incident like this has happened… We also fill out a form with the FBI… Paperless Post knew about it as well. You want to inform people so it doesn’t happen at other schools.”
The visible immediate impact was propagation, but the broader risk was downloaded malware potentially enabling remote control access. “Have you ever been to a website where you’re trying to access it but you couldn’t because the website takes forever to load? … DDoS attacks are where someone gets all these computers and they try to access the same website all at once, it utilizes all the resources so no one can access it.”
Although this was the most significant incident this year, phishing attempts are far from rare. In fact, the school has received around 15,000 phishing email attempts since the start of the school year. What most students don’t realize is that the cybersecurity protection at SHP is a thorough, layered system that keeps students safe from internet attacks. The system involves email filtering, an AI-based secure email gateway, endpoint protection (CrowdStrike), network monitoring, multi-factor authentication (where applicable), incident response procedures, and cyber liability insurance.
Additionally, faculty go through quarterly phishing simulations, and they require additional training for users who fail the test. The source of the phishing attack in January came from an account associated with the phishing simulations, allowing it to bypass cybersecurity measures.
As Dr. Lopez explained, ‘‘It really does come down to the end user. We just have to be really good and really diligent when we look at them.” The attack relied on social engineering, not breaking through the school’s network. “Unfortunately, the sad reality is that phishing is pretty much standard now [and] they’re just getting more and more sophisticated.” It’s important to stay vigilant in an increasingly online world where “The first thing to think of is to pause first…You can hover over the links and see if they’re actually real. If it asks you to do unexpected things, like entering your school email and entering your password, or downloading something that’s abnormal… that should kind of send up that spidey sense.”
