Another fun week working in the world of educational IT support and this week we have seen a rise in phishing emails circulating school accounts once again.

So what is a phishing attack and how can you spot them?

Phishing is when attackers attempt to trick users into doing ‘the wrong thing’, such as clicking a bad link that will download malware, or direct them to a dodgy website.


The most common form of a phishing attack towards schools is via email. With every piece of information being communicated via online systems, these become a hot spot for attacks to target and infiltrate. Over the past few weeks we have seen a rise in phishing emails which on the surface could seem legitimate but underneath could house the power to access your network and do some serious damage.

The most recent type of phishing email that we currently see is one which is from a company regarding remittance advice. Now for some school staff this isn’t out of the ordinary as companies will often send this from time to time especially to school business managers and finance teams.

The email will arrive in the users inbox with a subject something along this lines of ‘advice for payment xyz’. In the main body of the email there will be some standard payment making information, please allow a certain timespan for the payment to reach our accounts etc. Then there’s the attachment, normally this will contain which normally shows the invoices to date and the total costings. However with a phishing email, this pdf document contains html scripting to display what looks to be a standard Microsoft 365 login page, already pre-populated with the users email address.

So this is the part where the phishing takes place. Behind this what looks to be a normally login page for Microsoft is some special scripting which starts listening as soon as the document is open. It can send the attacker information like your IP address, network information, what kind of PC/laptop you are using and sometimes what security features are active. That all takes place in a matter of seconds and without the end user knowing anything is going on, this is even before the main phishing act takes place. Once the user enters their email password into this login page, that information is also sent directly to the attackers.

Now you’re probably thinking, it’s nothing I’m sure I could tell the difference between both of them.

Well let’s test that, below are two Microsoft login pages. Which one is real and which one is fake?

I have changed the email address to every schools favourite user jbloggs

Now, if you selected option 2 then you got it correct. The modern day attackers understand that everyone who lives in the new digital world day in day out now the core construction of certain pages. Being able to mimic these as closely as possible means that unless you have a keen eye for detail, you could just open this page up and see that it looks like a Microsoft login page and then input your details.

As soon as that happens, they have access to everything they need. According to statistics, over 51% of people use the same passwords for both work and personal accounts, with most of these people probably using the same passwords for multiple accounts at work. With this percentage being so high, attackers hope that Mr Bloggs will have the same password set for both his email account and the school MIS system making this a huge win for the attackers and if it goes to plan, a huge GDPR problem for the school.

Now, I’m not saying that every email you receive from a company for remittance advice is going to be a spam email but it’s always worth checking before opening and entering information. In most cases, the attackers will change the display name to look like a company that you would use but actually the email behind is something completely different. You can normally check these by hovering over the email name to display the full information.

Remember, If in doubt, call it out!

If you are ever unsure of an email or you think something isn’t right, speak with your IT team/support to look into it further. You can also report phishing emails via the National Cyber Security Centre website and I have included some useful links below.

Phishing is on the upward scale again and we need to ensure that all staff understand what to look out for and how they too can stop phishing from taking place.

Now it’s not just phishing emails that schools need to be aware of, along with cold calling and phishing text messages. There are loads of ways to gain access to information if someone is willing enough to spend the time to do it and unfortunately there are people out there that have that time.

Always keep your eyes and ears open and if there is anything you are unsure of. Call it out or remove yourself from the situation and contact the company using the information you already have. Hopefully it is really them and you have just been over careful but you can never be too sure.

For more support on phishing or for training please email

Want to recommend a resource or guidance? Email me at