Lately there seems to be an up-tick in phishing attacks targeting schools, specifically students. This is a troubling trend because less-experienced users, like students, aren’t as quick to identify a suspicious Google Form or document sharing a link. To further complicate things, Two-Factor Authentication (2FA) isn’t a realistic option for most students. 

One of the districts that I support asked for some additional help in blocking and securing student email. Here are five things that we did to protect their domain. 

1. Confirm Your Email Security Essentials 🔐

Think of DKIM, SPF, and DMARC as your email’s secret handshake. They verify that the email is actually coming from your school’s domain and hasn’t been faked. Getting this right prevents hackers from pretending to be one of your staff or system accounts. This is an essential first step to protecting your domain.

You can use a free tool like Dmarcian to check if these security policies are configured correctly. I wrote an extensive blog post that will help you understand and configure these settings for your domain. 

---

2. Disable or limit Gmail for younger students 🛑

If an account doesn’t need to send or receive email, it shouldn’t have Gmail turned on. Fewer mailboxes mean fewer targets for hackers!

• This is a great idea for your younger students (like K-2) who might not need email yet.
• You can easily disable the Gmail service just for those specific Organizational Units (OUs), significantly reducing their risk exposure.
• You can also configure limited email access for upper elementary and middle school students. The most common configuration is to limit their email use to internal users only. This will prevent outside attackers from targeting younger students, while allowing communication with teachers and fellow students. 

---

3. Boost SPAM and Phishing Protection for Students 🛡️

By default, Google has good protection, but you can crank it up, especially for your student OUs, to catch sophisticated attacks that may fool an inexperienced user.

• Visit the “safety” section within the Gmail policies and enable the advanced features for spoofing and authentication (Apps > Google Workspace > Settings for Gmail > Safety)
• Enable “enhanced pre-delivery message scanning.” This adds an extra check for suspicious mail before it hits the inbox. (Apps > Google Workspace > Settings for Gmail > Spam Phishing and Malware). 

These more aggressive spam and phishing rules WILL trigger false-positives. You will need to occasionally review the email quarantine to release messages that were accidentally marked as suspicious. 

---

4. Block External Google Forms for Students 🚫

Phishing often starts with a scary email that tricks a user into filling out a Google Form to “verify their account” or “update their password.” Students are often tricked by this common tactic.

• 🆕 You can apply a policy to your student OUs that disables the ability to fill out external Google Forms.
• This simple step removes a huge vector for phishing attacks that target students!

---

5. (EDU Plus) Use Context-Aware Access to Block Out-of-Country Logins 🌍

If you have a Google Workspace for Education Plus license, you have access to a powerful tool called Context-Aware Access. This can shut down compromised accounts the minute they try to access your data from a suspicious location.

• The idea: A hacker who steals a student’s credentials will likely try to use that account from a location far away, often in a different country.
• The fix: Create a policy that only allows logins for core apps (like Gmail and Drive) from the United States (or your country).
• This means that even if a phishing attempt succeeds and a student account is compromised overseas, the hacker will be immediately blocked from accessing your domain’s apps. This is a crucial, non-2FA security layer!

Unfortunately, students are increasingly becoming the target of phishing attacks. The goal of these attacks is to eventually compromise a staff or administrator account with elevated admin access, putting your entire domain at risk. 

If you need a hand with your domain security, get in touch! We can discuss a Google Admin Audit or a special support contract to help elevate your domain security.