Cyberattackers are a lot like a straight-A student—they love going to school. And their favorite subjects might be credential theft and phishing.
According to a report from cybersecurity company Check Point Software Technologies, the education field averaged 4,356 weekly cyberattacks from January through July 2025.
The 41% year over year increase in attacks makes education the most targeted of all global sectors, the cybersecurity company wrote in an August 28 blog post.
As highlighted in that post, phishers are exploiting back-to-school urgency to send students to fake login pages. Check Point observed that out of the 18,391 new domains related to schools, universities, and students set in July 2025, “one in every 57 [was] found to be malicious or suspicious.”
To defend against the crowded cafeteria of school cyberthreats, Check Point recommended IT pros enforce multi-factor authentication, phishing awareness for staff and students, patching (especially email and collaboration platforms), and threat-prevention tools that block malicious emails and files.
Glen Deskin, head of engineering for vertical solutions at Check Point, took IT Brew through one of the many ways a threat actor can ruin an IT director’s school day.
This interview has been edited for length and clarity.
How come there are so many attacks on the education sector this year?
There’s a higher level of success because it’s an easier target. We still hear every day that there’s another school system that got compromised. It continues to be successful. So, when bad actors continue to have success, they’re going to continue hitting those targets. Those targets are challenged by funding and challenged by expertise. They don’t have the staff in many cases. In many school systems I’ve seen where the principal is their security administrator.
What’s an example of one of the 4,356 weekly attacks? What’s a typical attack that you see at a school, and what’s the impact?
It’s not even just related to a school specifically, but it’s a phishing email attack…It might be something that tricks them into “Your grades are now posted,” and it’s going to impersonate the school’s administrative systems that say, “I need you to log in here. Put in your username, password, your credentials, your Social Security Number, and we’re going to provide you an update because you’ve got a failed grade.” They give a sense of urgency, like “you failed this class, you need to log in here and look at your grade on the system and, oh, to log in, you’re going to need to put in your Social Security Number so we can identify you.”…And so now they’ve just lost their Social Security Number, their username, their password, and maybe they even have malicious code or software now loaded on their laptop or their PC or device.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Can a student’s compromise lead to something massive, like a school disruption, or does it have to be a compromise at the admin level?
If they click on something, and then a piece of malicious software is pulled down…It could be a student’s machine, and then it laterally moves inside the network. It’ll connect to administrator machines, it’ll connect to other students, and shut the entire system down. So yes, that is possible, and has happened. If it’s, say, an administrator, what’s even more dangerous is it could get their credentials, and now you’ve not only got an ability to lock out systems, but [attackers] could steal information by logging in with those stolen credentials and then retrieving, let’s say, an entire student database.
How has social media made this challenge more challenging?
Where there’s a will, there’s a way. [Students] are always going to find ways to connect outside of those school protection systems, like, say, load up their own personal phone and connect to whatever social media platform they want. So there’s a lot of ways for them to either click on the wrong things, share the wrong information, provide the wrong credentials, and have their information stolen, which can then be used to compromise their identity, the school’s information, the school systems. The threat surface is much bigger than it was a number of years ago.