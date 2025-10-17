Maximus Kwan Alfredo Cornejo, the Site Technology Manager at Carlmont, assists a student with tech difficulties. According to Cornejo, phishers can exploit a compromised staff member’s account to solicit personal data from students via the staff member’s email. “Things like names, addresses — I’ve seen them ask for banking details,” Cornejo said.

He never expected to be locked out of his own computer.

David Weyant, a Carlmont business teacher, was one of two teachers whose accounts were compromised through phishing last April. While he was contacting tech support and regaining access, the attacker sent several emails posing as potential job offers to some of his students in an attempt to phish more information.

“I received an email from the principal who emailed all of us who had our accounts compromised, saying that our accounts were compromised. We would be locked out of our accounts until we reset the password,” Weyant said.

This incident at Carlmont is not an isolated occurrence. According to Jerome Simon, director of technology for the Belmont-Redwood Shores School District, phishing attacks have been on the rise throughout the Bay Area over the past three years, targeting school districts with increasing sophistication.

“We had a lot of phishing attempts and compromised accounts,” Simon said. “They were really big from about December of 2024.”

School district technology administrators have kept up the pace, though. After the attacker sent phishing emails from Weyant’s account, Alfredo Cornejo, the site technology manager at Carlmont, warned students to avoid clicking them.

In an official email directed to all students, Cornejo said, “It has been brought to my attention that students may have received an email about a suspicious email about a part-time job opportunity. This is a phishing email and is not real. Please delete the email if you have received it.”

As for Weyant himself, Carlmont’s tech team helped him log back into his account, preventing further time loss to the breach. Afterward, they reminded him to change his passwords frequently.

“They were fantastic because they responded almost instantly,” Weyant said. “They were on it right away.”

Before his account was breached, the school’s technology team had provided Weyant with general information on what to look for in phishing emails. However, even security-minded teachers can fall victim to targeted attacks, especially attacks that use already compromised accounts.

“Someone clicks on a phishing link, and then they get compromised, and it spreads because now that email gets sent from someone they trust,” Cornejo said.

An escalation over the years

According to Simon, schools are more vulnerable to phishing attacks because many school staff members are not technologically savvy, many being everyday users. Combined with the fact that teachers, staff, and students at high schools need to be able to communicate with almost everybody, administrators have struggled with preventing phishing attempts.

“These phishing emails usually come from someone they trust, and it’s not an email like a letter,” Cornejo said. “It’s more of a Google document that says, ‘Hey, look at this. I want to share this with you.’ It’s usually something like sharing permissions or ‘Can you share this with me?'”

Nowadays, attackers use social engineering tactics, such as researching the names of teachers’ friends and family or collecting personal data, to customize their messages directed at susceptible teachers. According to Simon, human error accounts for the majority of successful phishing attempts.

“Prior to the last maybe two, three years, most of them were not custom or personalized attacks. And now there’s a lot of social engineering involved. They look up the principal’s name at a school site, they try to personalize it a lot more,” Simon said.

The extra step

Simon takes the time and effort to create professional development workshops to educate teachers, his end-users, about current phishing trends.

“User education is the most important piece of cybersecurity. If your end-users are not well educated and don’t have their devices and their accounts secured, those are definitely huge entry points,” Simon said.

At Carlmont, staff education has taken a more hands-on approach. The school has implemented KnowBe4, a cybersecurity platform that simulates phishing attacks.

“It’s a program that sends out fake phishing emails to staff to see if they click on it. If they do fall for it — but it’s a fake one — an email will get sent out to them for some additional training regarding phishing,” Cornejo said.

The program has shown measurable results in reducing successful phishing attempts at Carlmont. According to Cornejo, the school has seen a significant decrease in phishing incidents this year compared to previous years.

“I think it’s somewhat effective in my opinion,” Cornejo said. “We’ve had maybe a couple of staff members who needed training, and I think they did the training. And now they know, instead of affecting other staff members and students potentially.”

Beyond training, Carlmont has implemented technical safeguards to protect staff accounts. The breach of Weyant’s account has proven to be a valuable lesson in the importance of these measures.

“We’ve implemented two-factor authentication with staff email accounts,” Cornejo said. “That’s a big one right there. And awareness is always going to be number one as well.”

Weyant now uses the multifactor authentication system, which notifies his phone whenever he logs into a new device.

“It forced me to realize that I need to take that extra step, that extra layer to log in. It’s important to consistently change passwords,” Weyant said. “Even though all of us think that our password is so unique, no one’s going to be able to hack it, that’s just not true.”

Simon advises students and staff to use password managers to manage their passwords and to avoid saving them in Google Docs. Weyant now avoids opening or clicking emails from email addresses he does not recognize.

“Don’t click on suspicious links; avoid things that are literally fishy,” Weyant said.