Common attack types
These are some of the common attack types that are most likely to happen to happen to schools.
Phishing and spear-phishing
Phishing is the most common entry point to attacks in schools. School staff, students, or network users get emails impersonating HMRC, DfE, Ofsted or cloud platforms. These attacks then steal credentials or deliver malware.
Exposed remote access (RDP/VPN)
Many schools use remote desktop protocol (RDP) to dial into a network or machine remotely. Attackers will target the entry point to gain direct network access to schools.
Ransomware deployment
Attackers gain access to the network and may wait until a critical or high-pressure moment (for example, exam or results periods) to deploy ransomware. This leaves the network and data unusable until a ransom demand is met.
Hackers may also steal a company’s sensitive data before locking (or encrypting) their systems. They then demand money twice: once to unlock the systems and again to stop the stolen data from being shared or sold. This puts pressure on the victim to pay even if they can fix their systems using backups.
Supply chain compromise
Attackers target the supply chains that schools use, including MIS vendors, cloud platforms or managed service providers. By compromising a supplier, an attack can affect hundreds of schools simultaneously.
Business email compromise
Fraudsters impersonate headteachers or suppliers using lookalike domains. They then persuade or trick people into authorising fraudulent bank transfers or changing supplier payment details.
Credential stuffing
Attackers use automated attacks to try and gain access using leaked passwords from other breaches. They particularly target Microsoft 365 and Google Workspace accounts.
Unpatched vulnerabilities
Attackers will target known, common vulnerabilities and exposures (CVEs) in VPN products, firewalls and web-facing applications. Old, legacy (“end of life”) operating systems are common in schools who may not have budgets for more modern, safer systems.
Internet of Things (IoT) and physical system attacks
Access to CCTV, doors, and building management systems is increasingly common through networks but poorly secured. Unchanged, default usernames and passwords can be easily guessed and used to access the main IT network.