These are some quick and free ways to mitigate phishing attacks.

1. Education - Security Awareness Training

2) Not publicly posting staff email addresses.  This isn't always a popular choice, but using external messaging systems or website contact forms VASTLY decreases your attack surface. It's up to your district to decide if the reward of posting addresses is greater than the risk of attack it presents.

3. Adding a bold header to all mail entering your system from outside your domain.

We used to post a very dainty "warning" at the bottom of emails from external senders, but it was seldom noticed. We've since start going big and bold. There was zero cost to implement this using mailflow rules in our email server, but the payoff is huge. It also gives users power and confidence by knowing when to be skeptical.

(More details on can be found under the "Using Mail Flow Rules")

4. Restrict student email accounts to internal sending and receiving only.

This is another simple way to reduce attack surface. This is also achieved through a simple mail flow rule, and we make this sort of "closed campus" setting our default. Over time, there may be external sites students need to receive email from (College Board is a common example around ACT time), but this are easy to manage as exceptions in the mail flow rule.

5. Configure mail security protocols.

This will take some research, but implementing SPF, DKIM, and DMARC in your mail system makes it hard for attackers to forge emails and makes it easy for you to block their arrival. These aren't very intuitive to set up (especially if you have a lot of subdomains), but there is ample documentation online for setting up for Google and Microsoft mail systems.

• SPF - Sender Policy Framework: Configuring SPF hardens your DNS servers to restrict who can send mail using your domain, thus helping prevent spoofing.
• DKIM - DomainKeys Identified Mail: Configuring DKIM insures the contents of your mail messages aren't tampered with
• DMARC - Domain-based Message Authentication, Reporting, Conformance: DMARC ties SPF and DKIM together, and also force the "FROM:" header in an email to match the sender's domain. Even though this greatly reduces spoofing, it's configured in less than 10% of colleges and universities (citation needed).

6. Block Logins from Unauthorized Countres.

This isn't strictly a spoofing concern, but it could prevent trouble if an account is breached. In a average 24-hour period in my district, 16% of login attempts come from countries outside the US. Without this restriction, we could potentially have 16% of our logins coming from attackers who've compromised user credentials. While this should be a basic feature, this is sometimes a premium feature for depending on mail services (looking at you, Microsoft).

7. If your email provider has scanning services, use them.

In addition to making sure there are policies configured and enabled to scan for and quarantine phishing emails, take a look at these. Get a feel for what types of phishing emails are coming to your folks and work it into your Security Awareness training. If possible, also give users a way to report Phishing emails themselves, and if your platform has an option to review those user-flagged messages, do it! Also, try to remember to give out pats on the back to teachers who are vigilant in reporting phishing. If your platform doesn't have this ability, Knowbe4 offers a free Phish Alert button. Sure, you'll be stuck talking to a very persistent rep, but it's a solid tool and easy to implement and use. Plus, my rep there is a good dude, so I don't mind when he bugs me.