In May 2018, a 16 year old sophomore from the Mount Diablo Unified School District in Concord, California was arrested when it was discovered that he was behind a (successful!) phishing scam. What may have started as a prank, ended with armed police officers and the Secret Service breaking down the door to the student’s home to search the property and make the arrest.

The student created phishing emails containing a link to a falsified student grading portal. The email was sent to teachers, and at least one inputted their login and password. Once the student had the teacher’s credentials, he used the information to log in and manipulate grades in the authentic portal. Grades of 10-15 students were changed.

According to the student, it took just five minutes to set up the scam. “It was like stealing candy from a baby,” he said. The scam was discovered when an IT staff member found the phishing email in a spam folder. The staff member questioned teachers about the email and one admitted to opening it.

Phishing scams are becoming more and more prevalent. It is a low-tech scheme that manipulates users rather than technology. Remember: it only takes one person to make a mistake, one set of credentials, to unlock the network. This time it was a student changing grades, next time it could be a criminal stealing other sensitive data.

Wonder how your users would handle a phish? Sign up for our free phishing susceptibility test to find out!