The Kansas Bureau of Investigation confirms it is investigating an email scam that targeted several school districts in the state.
“The KBI is investigating a business email compromise that affected some school districts in Kansas,” KBI Public Affairs Director Melissa Underwood said. “The Kansas State Department of Education was made aware of the recent incidents and notified school districts statewide so they could be on high alert and take steps to prevent similar compromises.”
Sources tell The Sentinel that scammers are attempting to access personal and district financial information, including payroll and bank accounts, and at least one district has been compromised.
The Sentinel is not naming districts or individuals to avoid interfering with the investigation.
This is not the first data breach for Kansas Schools. In late 2024, a massive, nationwide breach occurred in the PowerSchool system that many districts use to track grades, enrollment, and other information.
That breach affected 50 million students across the country.
The breach apparently began on Dec. 19, 2024, and ended nine days later on Dec. 28. Hackers appear to have used a PowerSchool remote support tool to access the data of an unknown number of districts.
PowerSchool Holdings Inc. serves over 60 million students and 18,000 customers in almost 100 countries around the world.
“As soon as we learned of the incident, we immediately engaged our cybersecurity response protocols and mobilized a cross-functional response team, including senior leadership and third-party cybersecurity experts,” the company said in a statement at the time.
Industry publication TechCrunch reported that the breach involved a significant amount of student information.
“PowerSchool hasn’t said how many of its school customers are affected,” TechCrunch reported. “However, two sources at affected school districts — who asked not to be named — told TechCrunch that the hackers accessed troves of personal data belonging to both current and former students and teachers.
There are simple things that can be done to mitigate email scam risks
The Sentinel contacted KSDE to request the communication the department sent to districts and any security recommendations. KSDE Communications Director Denise Kahler responded, directing The Sentinel to file a request under the Kansas Open Records Act, which can sometimes take weeks to be fufilled. KSDE’s lack of cooperation is disappointing (although not surprising).
According to the National Cybersecurity Alliance, Business Email Compromise is a “specific, nasty type of cyberattack that targets businesses of all sizes.”
At a basic level, BEC is a type of cybercrime in which scammers use email to trick someone into sending money or divulging confidential company information. The cybercriminal spoofs a person or organization the target knows, such as a supplier, and asks for payment of a fake invoice, sensitive company information, or other data they can profit from. Cybercriminals can even use BEC to spread malware within an organization’s network by convincing employees to click a fake link or download a malicious attachment.
BEC attacks are increasing, especially as many organizations have employees working from home or in a hybrid work scenario in the wake of the COVID-19 pandemic. According to a recent report from software company Fortra, nearly a quarter of emails delivered to corporate inboxes in the first few months of 2023 were deemed “untrustworthy or malicious.” While ransomware receives much of the attention, BEC is a significant cybersecurity issue for companies as well.
According to JPMorgan Chase, email phishing and similar attacks are fairly common and easy to spot if you look.
“Some of the most common methods are look-alike domains and spoofing—creating fake websites and emails that are almost identical to real ones,” the company says on its website. “Scammers want you to believe you’re on a trusted site or communicating with a trusted source so that you’ll click a malicious link or provide your login information. Their goal is to get you to enter your username and password, giving them access to your actual account — this is known as account takeover.”
One of the things to look for is a tiny change in a website address, like these examples:
- Removing a character: changing access.jpmorgan.com to access.jpmorgn.com
- Changing the top-level domain: changing access.jpmorgan.com to access.jpmorgan.co
- Changing a character: modifying access.jpmorgan.com to access.jpmorqan.com
- Adding a character: changing access.jpmorgan.com to access.jpmorgans.com
In the current case involving Kansas schools, it appears that email spoofing has allowed the hackers to gain access.
Scammers also use email spoofing, a technique in which they send emails that appear to be from a trusted source, such as J.P. Morgan or someone you know. These emails often:
- Use addresses that look almost right, but contain small character swaps or misspellings
- Ask you to click a link or open an attachment
- Create urgency with messages like “Your account is locked” or “Urgent action needed!”
NCA also says it is important to do things like enable Multi Factor Authentication, make sure software is up to date and always verify the sender of any email.
