It’s something IT leaders generally know — you can buy all kinds of hardware and software to try to ward off cyberattacks, but one of the most important cybersecurity vulnerabilities to address involves people, not technology.

That human element is particularly important for K–12 districts, which are popular targets for cyber incidents because of the heaps of sensitive information they collect. Some school districts are forced to pay ransoms to retrieve data. Some attacks shutter districts for days.

Against that backdrop, my team and I noticed an increase in phishing emails to our faculty and staff as well as a bump in the number of teachers requesting tech support because of malware on their devices. That prompted us to launch an anti-phishing campaign last year during the fall semester. We needed to address the “people” part of our cybersecurity concerns.

We set up a Gmail account to send a fake phishing email to district teachers. The email address included red flags teachers should have recognized: The district’s name is misspelled, and the domain is a generic Gmail account instead of the district address. The body of the email included red flags such as spelling errors. The email footer included links and a logo from MailChimp, which is a well-known company but not a district-approved vendor.

The email also included a link to a survey requiring a Google login. That link connected to a Google splash page designed to look like a real Google login page but with obvious differences. It required entering a username and password on the same screen, but Google requires entering a username and password on separate screens.