“I was checking my bank account and from the $40 that I had originally had, $3,000 was taken out,” an anonymous student from TIDE Academy said.
Phishing emails to district accounts are not new, but their frequency appears to have ramped up in recent months. These emails, sent through hacked SUHSD staff member accounts, most often offer paid internships or remote job opportunities with the District.
The trailing “seq.org” at the end of the senders’ emails makes students even more vulnerable to these scams. “I trusted it. Before I opened [the email], I did research on who the person was, and it showed that it was someone in the District,” the TIDE student said.
Currently, the District relies on a software program that detects scams and automatically deletes them from all users’ inboxes. However, this system is faulty, as some fraudulent emails aren’t deleted until days after students have already seen them, while others have yet to be deleted at all.
There has been no communication sent to students from the District addressing these scams.
Students’ inexperience with independent financial accounts uniquely exposes them to long-term financial consequences. As the SUHSD domain owner, the District has a responsibility to educate students about cybersecurity and warn them of phishing emails as soon as they are sent out. Students, who are required to use District-issued emails, shouldn’t have to detect these threats on their own, especially when disguised as their own educators. An immediate alert could prevent students from becoming victims of these scams and protect their digital and financial safety.
Once students have fallen victim to the scams, the damage is difficult to undo.
After noticing the large amount withdrawn from her account, the TIDE student reached out to her bank following advice from school staff, but was told the transaction couldn’t be reimbursed because she had voluntarily shared her banking information with the scammer.
“[The police] would say the same thing: ‘There’s nothing really we can do anymore,’” she said.
She and her family picked up extra work to compensate for the lost money. “[My dad] put in more hours so he could help pay for it. And my mom used to work from 7 a.m. to 2 p.m., and once that happened, she would work the full day so she could try and get a higher paycheck,” she said. “There was an internship at my school during the summer, so I joined it so I could get $1,000.”
The TIDE student wasn’t alone. An anonymous M-A senior also followed up on an email that offered an assistant job position.
“Your task and duties are to track and disburse each charity organisation’s fundamental contributions on behalf of the Feed the Children organization.” It continued, “[You will] be part of the great team working towards a better future for the less privileged, the motherless kids, and the growth of the community…Are you familiar with mobile check deposit?”
They proceeded to tell her that they’d send her an image of a check that she needed to deposit into her bank account. This kind of offer—where the target is given fraudulent money to donate back to the scammers—is a common scam known as a money mule scam, attempting to exploit a person’s good nature while making them an accomplice to a crime.
Once she realized the interactions were suspicious, she severed ties. While she was able to cut contact relatively early, others were not so lucky. An anonymous M-A sophomore fell victim to the same type of scam.
“It took me to a Google form, and I filled everything out. They started texting me, and I was like, ‘Oh, this is actually legit,’” she said.
After she provided her information through the form, the scammers deposited a $1,000 check into her bank account, also asking her to donate the money to charity. Shortly after, Wells Fargo flagged the check as forged. “I was banned from ever opening a debit card with them again,” she said.
The District is frequently faced with scam emails and other outside threats to its technology systems, according to SUHSD Network Specialist Cuauhtémoc Martínez. “This happens on a daily basis everywhere in the United States,” he said. “The thing about these types of infections is that they start off very small and escalate exponentially. So as soon as we realized that, we did our due diligence on our end.”
Martínez and his team periodically send out safety tips called Tech Tuesdays that educate teachers about cybersecurity, since they are more often the targets of hackers. However, these efforts fall short for students. While staff receive warnings of phishing scams, password security, and the risks of being hacked, none of this information reaches students, who are even more vulnerable to the same threats.
It is imperative that the District take action to protect its students. Straightforward measures like scam prevention lessons and scam warning notifications for students can shield them from long-term financial consequences.
To learn more about cybersecurity, visit America’s Cyber Defense Agency’s website.
Anna Dearing, Alessandra Hartwig, and Amari Witt were the lead authors of this article.
