If you had problems trying to get in touch with the Burnaby school district via email over the last couple months, you’re not alone.
As many as 150 Burnaby school district staff email accounts were hijacked by scammers in November and December, according to district secretary-treasurer Greg Frank, wreaking havoc with the district’s online communication with the outside world.
Frank said the staff email account holders fell prey to phishing scammers, who tricked them into revealing their passwords.
The fraudsters then used the contact lists of the hijacked email accounts to perpetuate the trick, sending out as many as a thousand fake emails an hour from each hijacked account.
“That gets flagged pretty quickly by the large service providers and email providers out there,” said school district information technology services manager Ken Kiewitz.
Many of those providers promptly blocked the district, crippling the district’s online communication with parents and others outside the district system.
“These things are always there as a nuisance; however, it became more than a nuisance for us part way through November and through December,” Frank said. “People rely on that level of communication as an organization out to parents and others out there, so it became more than a nuisance. It was an operational problem for us.”
Kiewitz said each of the compromised accounts was shut down within about an hour of being reported.
To stop more staff from falling for the scam, Frank said the district launched a district-wide education program.
“We’ve actually done presentation to all of our staff to make sure that they’re aware of this, that they are watching closely what attachments they’re opening, what information they’re providing,” he said.
The district also started filtering external email in mid-December, only removing the filter early this week.
“That was just in an effort to be able to be recognized as having addressed this issue by these large ISP (internet service providers) so that we could get back in their good books,” Kiewitz said.
The scammers would have had access to email account content, like contact lists and emails between teachers and parents, according to Kiewitz, but the district isn’t worried about the privacy breach.
“They’re not interested in those pieces,” Kiewitz said. “Their only interest in the information is to try and present themselves to be as legitimate as possible to the end user. That way they can attempt to dupe a greater number of individuals by appearing to be more legitimate.”
The goal of scammers who hijacked the district accounts in November and December isn’t clear, according to Kiewitz, but such fraudsters are usually after money – sometimes tricking account holders into sending wire transfers, sometimes taking over computers and demanding a ransom.
Neither of those happened in Burnaby, according to Frank.
“We don’t know if this is simply mischief; we don’t know if there was a bigger plan in behind it or not,” he said.