What if my child already clicked a phishing link and submitted their login?

Act immediately. Have your child try to log into their school account and change the password right away. If locked out, contact the school's IT department directly. Check recent account activity for unauthorized sign-ins and verify that recovery information has not been changed.

Table of Contents

General 15 min read

School Email Phishing Attacks on Kids: What Every Parent Needs to Know About Google and Microsoft Accounts

School-issued Google and Microsoft email accounts are prime phishing targets. Learn how attackers hook students, what real attacks look like, and the specific steps parents and kids can take right now.

Your 13-year-old comes home saying her school Google account stopped working. She clicked a link in an email that looked like it came from her teacher — asking her to verify her account before a “system update.” She typed in her password. Within 20 minutes, that same account sent phishing emails to every student in her class. The school IT department spent three days cleaning it up. This scenario played out at a middle school in Broward County, Florida in 2023, and variations of it are happening in districts across the country every week.

School-issued email accounts — Google Workspace for Education and Microsoft 365 Education — are not just homework tools. They are keys to grading portals, student information systems, district networks, and in many cases, each other’s inboxes. Attackers know this. Parents, largely, do not.

Key Takeaways

School Google and Microsoft accounts are targeted specifically because students are less suspicious of institutional-looking emails than adults are
Credential harvesting via fake “account verification” pages is the most common attack vector against students
A single compromised student account can be used to phish hundreds of classmates from a trusted “.edu” address
Multi-factor authentication is rarely enforced by default on student accounts — and parents can push schools to change this
Teaching kids to identify phishing requires practice with realistic examples, not just a single assembly warning

Why School Accounts Are Prime Targets

When security researchers at the Cybersecurity and Infrastructure Security Agency (CISA) published their 2023 K-12 cybersecurity report, they found that U.S. schools experienced more ransomware incidents than any other sector except government. School email accounts are the entry point for a large share of those attacks.

The reasons are structural. Google Workspace for Education Fundamentals — the free tier used by most public schools — does not enable multi-factor authentication (MFA) by default for student accounts. Microsoft 365 Education has similar gaps. District IT teams are often understaffed; the average public school district has one IT professional for every 218 staff members, according to the Consortium for School Networking (CoSN).

Students, meanwhile, receive their school email account with minimal security training. Many are told a password and sent on their way. They use the same account for five or six years, often setting weak passwords that never change.

What Attackers Actually Want From a Student Account

Parents sometimes assume a kid’s email isn’t worth stealing. The reality is that a student account carries more value than most people expect:

Lateral movement within the school network. Once inside a student account, an attacker can email staff with a trusted sender address. A 2022 FBI Internet Crime Complaint Center (IC3) report documented cases where compromised student accounts were used to send convincing phishing emails to district finance staff — successfully in several cases redirecting payroll deposits.

Access to student information systems. Many schools connect Google or Microsoft accounts to platforms like PowerSchool, Infinite Campus, and Canvas. A student’s compromised login can expose grades, address information, parent contact data, and in some systems, partial Social Security numbers.

Ransomware staging. In larger incidents, attackers use student accounts as a beachhead to map the network before deploying ransomware. The Los Angeles Unified School District breach in 2022 — which exposed data on 500,000 students — began with credential theft.

Selling credentials on dark web markets. Bulk student credentials from “.edu” domains are sold as packages. They’re used to access academic journal subscriptions, Adobe Creative Cloud licenses granted to students, and other software students are given free access to.

How Phishing Attacks on Students Actually Work

The mechanics differ from the generic “Nigerian prince” emails adults learned to recognize. Student-targeted phishing is more contextual and more convincing.

The Fake Account Verification Lure

The most common attack sends an email that appears to come from Google or the school district itself. The subject line typically reads something like “Action Required: Verify Your School Account Before [date]” or “Your Google Workspace access will be suspended.” The email contains a link to a login page that looks pixel-for-pixel identical to the real Google sign-in.

When the student enters their credentials, those credentials are captured and relayed to the attacker’s server. In many cases the page then redirects to the real Google login, so the student just assumes they mistyped the first time and logs in successfully — never suspecting anything went wrong.

Teacher Impersonation

A step up in sophistication: the attacker first compromises one account (often a teacher’s, obtained from a data breach on a site where the teacher reused their password), then uses that real account to send phishing emails to students. The emails look like they’re from Ms. Hernandez’s actual address. They might ask students to complete a “survey” before the next class, share a file, or click a link to a fake collaboration platform.

The Shared Document Trap

Google Forms and Google Docs shared from within a school domain are automatically trusted by the student’s account. Attackers who have compromised any account in a district — even a student from a different school — can create a shared Google Doc that contains a link to a credential harvesting page. The notification arrives through Google’s own email infrastructure, making it appear completely legitimate.

Discord and Gaming Cross-Contamination

Researchers at Proofpoint documented a pattern in 2024 where phishing attacks targeting students didn’t start with school email at all. Attackers befriended students on Discord, built rapport around gaming, then sent “school resource” links through Discord that led to fake login pages for school accounts. Students entered their school credentials because the attacker framed it as a homework help site or mod download.

What a Real Attack Looks Like: A Breakdown

Stage	What the Attacker Does	What the Student Sees
Reconnaissance	Finds school domain from public website; scrapes teacher names from school staff page	Nothing
Credential theft	Sends fake “account expiration” email with spoofed school domain	An urgent-looking email about their account
Harvesting	Student submits login on fake page; attacker captures credentials in real time	A brief loading screen, then their normal school page
Lateral movement	Logs into student account; reads emails, identifies teacher names, class schedules	Account briefly shows logged in on another device (often unnoticed)
Escalation	Uses student account to email classmates or staff with new phishing links	Classmates receive email appearing to come from their friend
Persistence	May change recovery email or phone number to lock out the real student	Student finds they can’t log in the next day

Specific Settings Parents Can Check Right Now

You don’t need IT expertise to take meaningful action. These are things a parent can do today.

Ask about MFA. Contact the school’s technology coordinator and ask whether student Google or Microsoft accounts have multi-factor authentication enabled. If the answer is no, ask why not and whether the district is aware that CISA’s K-12 guidelines specifically recommend it. Google Workspace for Education Plus does support MFA for students — it requires administrator action to enable.

Check the account recovery settings. If your child’s school allows it, log into myaccount.google.com or account.microsoft.com together and verify that the recovery phone number and recovery email listed are yours (or your child’s personal phone), not blank fields.

Review connected apps. In Google Workspace accounts, go to myaccount.google.com > Security > Third-party apps with account access. Students accumulate app permissions over years. Any unrecognized app with broad permissions should be revoked.

Set up login alerts. In Google accounts, security alerts for new sign-ins can be enabled. For Microsoft accounts, unusual sign-in activity alerts can be configured in the Microsoft account security settings.

Teaching Kids to Identify Phishing: What Actually Works

A 2021 study published in the journal Computers & Security found that one-time training sessions — the kind delivered as school assemblies or single-day modules — produce short-term awareness that fades within weeks. Repeated, spaced practice with realistic examples is significantly more effective.

The Three Questions Drill

Teach your child to ask three questions before clicking any link in email:

Did I expect this email? If the answer is no, that’s a yellow flag. Teachers and school IT departments rarely send urgent “verify your account” emails out of nowhere.
Where does the link actually go? On a phone, hold the link down (don’t tap) to preview the URL. On a computer, hover over it. The real domain should be google.com, microsoft.com, or the official school district domain (often something like k12.statename.us or [districtname].edu). If it’s “google-accounts-verify.net” or any variation, it’s fake.
Is this creating pressure to act fast? Phishing emails use urgency as a tool. “Your account will be deleted in 24 hours” is a pressure tactic, not a real IT notice.

Practice With Them

Sites like phishingquiz.withgoogle.com (Google’s free Jigsaw quiz) let kids test their ability to spot real versus fake emails. It takes 10 minutes and produces immediate, memorable feedback. The Anti-Phishing Working Group (APWG) also publishes quarterly phishing trend reports that describe current attack styles in plain language — useful for parents who want to understand what’s circulating right now.

Normalize “Pause and Ask”

One of the most effective habits is the simplest: tell your child that if they’re ever unsure about an email, they can forward it to you or show a teacher before clicking. Make it explicit that you will not be frustrated with them for pausing. The fear of “getting in trouble” for asking is part of what attackers exploit — students don’t want to admit they’re confused.

What to Watch For Over 3 Months

Month 1: Ask the school directly about MFA status for student accounts. Review your child’s connected apps and recovery settings together. Run the Google Jigsaw phishing quiz together.

Month 2: Check whether your child’s school district has published a cybersecurity incident response plan (many districts are now required to by state law). Ask your child to walk you through an email they received recently and explain why they thought it was real or suspicious.

Month 3: Look at the school’s acceptable use policy — specifically whether it addresses phishing reporting procedures. Does your child know who to report a suspicious email to? If not, find out together and save that contact.

Frequently Asked Questions

Can a phishing attack on my kid’s school email affect our home network?

Yes, indirectly. If an attacker captures your child’s school login credentials and your child reuses that password on home accounts or personal devices, those accounts become vulnerable. More directly, if malware is involved (some phishing attacks deliver malware rather than just harvesting credentials), a compromised school device brought home could affect devices on the same Wi-Fi.

My child’s school uses Chromebooks — does that make phishing less dangerous?

Chromebooks reduce the risk of traditional malware because ChromeOS is sandboxed and web-based. But credential phishing doesn’t require malware. A student can be tricked into entering their password on a fake page from any device. The Chromebook provides no protection against the student typing their login into the wrong website.

Act immediately. Have your child try to log into their school account and change the password right away. If they’re locked out, contact the school’s IT department directly — most districts have an emergency contact for account compromises. Check the account’s recent activity for unauthorized sign-ins and review whether the recovery information has been changed.

Should I be worried about my younger child (age 8-10) who has a school account?

Younger students are actually at higher risk in some ways because they have less context for evaluating whether an email is suspicious. The same rules apply, but supervision should be closer — periodically checking their school inbox together is reasonable at this age.

Does the school have any legal obligation to protect student data?

Yes. The Family Educational Rights and Privacy Act (FERPA) requires schools to protect student education records. The Children’s Online Privacy Protection Act (COPPA) applies to students under 13. Schools that experience a data breach affecting student records are generally required to notify affected families. If you believe your district is not taking reasonable security measures, you can file a complaint with the U.S. Department of Education’s Student Privacy Policy Office.

How do I know if my child’s email was already compromised?

Have I Been Pwned (haveibeenpwned.com) allows you to check whether an email address appears in known data breaches. Note that it only tracks breaches that have been made public — it won’t catch everything. If the school email isn’t searchable directly, check whether the email password was reused on any personal accounts that might appear in breach databases.

About the author

Ricky Flores is the founder of HiWave Makers and an electrical engineer with 15+ years of experience building consumer technology at Apple, Samsung, and Texas Instruments. He writes about how kids learn to build, think, and create in a tech-saturated world. Read more at hiwavemakers.com.

Sources

Cybersecurity and Infrastructure Security Agency (CISA). (2023). K-12 Cybersecurity: A Guide for K-12 Administrators. U.S. Department of Homeland Security. https://www.cisa.gov/k-12-cybersecurity
FBI Internet Crime Complaint Center (IC3). (2022). 2022 Internet Crime Report. Federal Bureau of Investigation. https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf
Anti-Phishing Working Group (APWG). (2024). Phishing Activity Trends Report, Q4 2024. APWG. https://apwg.org/resources/apwg-reports/
Consortium for School Networking (CoSN). (2023). Annual IT Leadership Survey. CoSN. https://www.cosn.org/research
Jalali, M. S., Siegel, M., & Madnick, S. (2019). Decision-making and biases in cybersecurity capability development. Decision Support Systems, 113, 148–160.
Proofpoint. (2024). State of the Phish 2024: An In-Depth Exploration of User Awareness, Vulnerability and Resilience. Proofpoint Inc. https://www.proofpoint.com/us/resources/threat-reports/state-of-phish
U.S. Department of Education Student Privacy Policy Office. (2024). FERPA General Guidance for Students. https://studentprivacy.ed.gov

Written by Ricky Flores

Founder of HiWave Makers and electrical engineer with 15+ years working on projects with Apple, Samsung, Texas Instruments, and other Fortune 500 companies. He writes about how kids learn to build, think, and create in a tech-driven world.