A146 - Targeted Phishing Procedure
DATE: August 27, 2019
FROM: Technology Department (Approved by Superintendent Larry Bergeson)
REGARDING: Targeted Phishing Procedure
Targeted phishing, a form of Social engineering, has become more common and the School District is frequently a target to these scams. These come in the form of emails and phone calls that impersonate district officials, a supervisor/principal, and companies the school district does business with. Many of these attempts have been extremely convincing.
The first rule of preventing a social engineering attack is to validate any request for sensitive/protected information and/or money. Basically the first task when receiving a request for data or money is to contact the person with the request over the phone or in person. It is crucial, however, that we initiate this phone call using a number that we have on record before starting the communication that leads to the request. If a person calls you, or they provide an alternate number to contact them, this does nothing for validation.
If you receive communication via email or phone call requesting money or data:
- End the current conversation
- If a phone call, end the phone call and let them know you will call them back.
- If an email, do not respond.
THEY WILL LIKELY ATTEMPT TO KEEP YOU FROM ENDING THE CONVERSATION USING TACTICS THAT WILL PLAY INTO YOUR EMOTIONS.
For Example: They may state that their number has changed, or that they do not have their normal phone available at the moment. They may even convince you that your job, or their job is in jeopardy.
DO NOT GIVE IN.
- Look up their contact information in the District’s records, do not use the contact information they provided to you as part of this request.
- Call them on the phone using the contact information located from step 2 and validate the request for data or money.
- Once the request has been validated, follow all additional District & State Procedures to either accept or deny the request.