Last updated on January 30, 2025 at 02:38 pm
We’re aware of a phishing scam circulating via email in some schools.
The phishing email is crafted to appear legitimate, being sent from legitimate email addresses of schools and other New Zealand organisations, and including school logos and email signatures.
The email shares a link to an invoice with a request to view this invoice. If this link is clicked, the user will see a web page (cases we’ve investigated show Microsoft Forms or Mailchimp pages) with further links to open the invoice document. These links will take them to a phishing site that looks like a Microsoft login page, and if the user enters their login credentials the malicious actor will then have unauthorised access to these credentials.
We’re currently monitoring the situation and blocking any new phishing links and emails as we see them. We’ll provide a further update when we can.
What you can do
- Let your staff and students know that this phishing campaign is circulating, as well as educating them on how to spot phishing emails and the dangers of these – we’ve prepared a blog on this here.
- Work with your IT team / provider to enable two-factor authentication on your school user accounts.
- N4L’s fully funded Email Protection service can help protect against some of these phishing emails. If your school isn’t currently using it but is interested in doing so, reach out to your School Relationship Manager.