Does FERPA require phishing training?

FERPA does not name phishing training specifically, but the regulation requires reasonable methods to protect education records from unauthorized disclosure. The Department of Education's Privacy Technical Assistance Center (PTAC) and the Readiness and Emergency Management for Schools (REMS) guidance both treat security awareness training, including simulated phishing, as part of reasonable administrative safeguards. After a credential breach that exposes student records, 'we did annual training' has become a thin defense.

What are the highest-risk phishing scenarios in schools?

SIS (PowerSchool, Infinite Campus, Skyward) credential theft, SSO password reset lures targeting Google Workspace for Education or Microsoft 365, parent-communication impersonation aimed at front-office staff, payroll fraud during open enrollment and grant-funding lures targeting business managers. Higher ed adds research-IT credential theft, financial aid impersonation and bursar payment fraud.

How can budget-constrained districts run a phishing program?

Start with a free or low-cost platform that covers up to a few dozen users for the central office and IT staff, run quarterly campaigns and expand to the full staff once you have measurable results. E-Rate Category 2 funds and certain state cybersecurity grants can support training programs in many states. The cost of a single ransomware incident at a district has been documented in the millions; the program cost is rounding error in comparison.

Should we phish students?

Most K-12 districts only run simulations against staff and faculty, not students. Higher education increasingly includes student employees and graduate research staff because they hold credentials with meaningful access. Whether to include the broader student population is a board and legal-counsel decision; the training value is real, but the parent-communication and consent considerations are non-trivial.

How often should schools run phishing simulations?

Quarterly is the realistic floor in most districts given competing priorities; monthly is the goal in higher ed and at well-resourced districts. Aligning campaigns with the academic calendar - back-to-school, mid-year, spring break, summer prep - both improves engagement and produces clearer trend data.

School District Phishing Training: K-12 and Higher Ed Guide

By The Bait & Phish Team
Education, FERPA, K-12

School systems sit on a uniquely valuable target set - student records, family financial information, payroll for thousands of staff, federal grant funding and SIS access that can be quietly used for grade-changing schemes - and they sit on it with constrained IT budgets and rotating administrative staff. Ransomware groups have noticed. The number of K-12 incidents in the public record has risen sharply over the past five years, and higher-education breaches have become routine enough that they barely make headlines.

This post is for the K-12 superintendent, the technology director, the higher-education CIO or CISO and the business office director who has been told that the district's last incident "started with a click." It walks through what's distinct about phishing risk in education, how the regulatory frame actually maps to a program, the lures that land and how to run the program without overwhelming an IT department of two.

What's distinct about phishing in education

Heterogeneous workforce, high turnover. Teachers, aides, custodial staff, food service, transportation, athletic coaches, substitutes, contractors, board members and central office. Onboarding cycles peak in August and again in January.
Public-facing communication culture. Staff are conditioned to respond fast to parent emails, especially anything tagged urgent, which is the muscle attackers exploit.
Federated identity sprawl. Most districts run Google Workspace for Education or Microsoft 365 plus a SIS, an LMS, an HR/payroll system, transportation, food service and a clinic record system. SSO password lures are the universal entry point.
Tight budgets and visible procurement. Programs have to clear board approval and survive public-records scrutiny. The cheapest defensible solution is usually the right one.
Federal funding lures. Title I, Title III, IDEA, ESSER (where still applicable) and grant-funded program emails are realistic phishing pretexts that resonate with business office staff.

The regulatory frame

FERPA (20 U.S.C. § 1232g) - protects the privacy of student education records. Reasonable safeguards against unauthorized disclosure are the relevant clause for security training. PTAC guidance treats simulated phishing as a standard administrative safeguard.
CIPA - primarily about content filtering and internet safety education for students; tangential to staff phishing programs but relevant to the broader awareness curriculum.
REMS (Readiness and Emergency Management for Schools) - DOE guidance that increasingly addresses cybersecurity preparedness alongside physical safety; includes recommendations on staff training.
State student-data privacy laws - California's SOPIPA and student-privacy statutes in dozens of states layer on top of FERPA with their own safeguards expectations.
State and federal grant terms - many cybersecurity-related grants now require security awareness training as a condition.
Cyber insurance - districts and universities buying cyber insurance face the same questionnaire described in our 2026 renewal post.

FERPA does not name "phishing simulation" by string, but a credential-theft breach that exposes education records puts the program directly in the post-incident review.

Templates that work in education

Google Workspace / Microsoft 365 password reset - the universal SSO lure. Effective across every cohort.
SIS credential prompts - PowerSchool, Infinite Campus, Skyward, Aeries password expiration. Targets office staff and registrars.
Parent-impersonation messages - "I won't be picking up [student] today, please confirm by clicking here." Targets front-office and attendance staff.
Substitute-coordinator lures - fake substitute placement system notices.
Payroll and benefits - direct deposit change requests during open enrollment, pay stub portal lures.
Grant funding - federal program email impersonation, grant-application portal credential prompts. Targets business office.
Vendor invoice fraud - transportation, food service, athletic equipment vendor impersonation.
Higher-ed specific - financial aid office lures, bursar payment fraud, research-IT credential prompts, journal-submission impersonation and conference-registration scams aimed at faculty.

A balanced rotation across these categories at varying difficulty produces the cohort data that boards, auditors and insurance brokers want to see. Multi-channel coverage matters at the higher-ed level - SMS smishing of registration deadlines, voice vishing impersonating IT help desk - and matters less in K-12 where staff phones aren't always the work device.

A budget-aware program design

Most districts can't afford the enterprise platform sticker price, and most don't need it. A workable design:

Tier 1 (months 1-3): Cover the central office, business office, IT, principals and assistant principals - typically 30-80 people in a mid-sized district. Run two campaigns. A free 25-user trial is enough to demonstrate measurable results to the superintendent and board.
Tier 2 (months 4-9): Expand to all certified and classified staff. Move to monthly cadence. Add auto-assigned remediation training for users who fail.
Tier 3 (year 2): Add multi-channel (SMS) coverage if your staff carries district mobile devices, layer in role-specific harder simulations for the business office and IT and produce a board-level annual report.

Many districts fund this through E-Rate Category 2 (where eligible), state cybersecurity grants, the K-12 Cybersecurity Self-Assessment program (CISA) or the standard tech budget. Per-user costs at a district scale are typically a small fraction of the cost of one substitute teacher day.

The cohort breakdown that boards understand

Boards don't care about a single-number click rate. They care about whether the program is reducing risk and whether the people closest to the money and the records are improving. Report this way:

Business office - click rate, reporting rate, payroll/wire fraud-specific simulation results
Front office and attendance - parent-impersonation simulation results
IT and admin - credential-theft and SSO lure results
Teachers and instructional staff - general SSO and SIS lure results
Leadership (principals, central office) - exec-targeted (whaling) results

Trend each cohort over time. The story you want to tell the board is "we have brought the highest-loss cohorts down by X% in 12 months."

Higher education differences

At a college or university, the program scope grows in three ways:

Decentralized IT. Each school or college may run its own infrastructure, which means rolling out a unified phishing program is as much a political exercise as a technical one. A federated launch - central IT runs the platform, individual colleges opt in - works better than a top-down mandate.
Research-IT credential targets. Grant-funded research, especially in life sciences and engineering, attracts targeted phishing. Faculty and graduate research staff need their own simulation track.
Student-employee inclusion. Students with payroll access, financial aid access or research credentials should be in the program. Whether to phish the broader student population is a counsel-and-board decision.

Mistakes specific to education

Treating annual computer-based training as the program. It is not. Behavior change requires repeated, varied, real-time simulation.
Excluding leadership from simulations. Superintendents and presidents are the highest-loss BEC targets in the sector; they belong in the rotation.
Punitive remediation. Disciplinary follow-up creates a culture of hiding clicks. The goal is faster reporting, not punishment.
Using lures that resemble protected speech or sensitive school topics. Stay away from anything that could be mistaken for a real safety alert, real grade dispute or real disciplinary matter.
Forgetting summer staff and seasonal contractors. Camp counselors, summer maintenance and grant-funded program staff often receive district email accounts and need to be included while they hold them.
Treating board members as out-of-scope. Board members holding district email accounts are a legitimate phishing target and should be in the program with the same rules as everyone else.

Coordinating with the state education agency

Most states' Department of Education or equivalent agency now publishes baseline cybersecurity expectations for school districts. Several states require breach notification to the SEA in addition to standard state notification laws, and a growing number reference phishing simulation as a recommended practice in their cybersecurity rubrics. Aligning the district program to the state's published rubric makes both the local board reporting and any state-level audit response easier.

For higher education, the Department of Education's Federal Student Aid Cybersecurity Compliance program - tied to GLBA Safeguards through Title IV participation - has tightened expectations on awareness training as a condition of student-aid funding. Institutional research and aid offices both face direct downstream pressure on the awareness-training control.

Where Bait & Phish fits

Bait & Phish has been running phishing simulation and security awareness training programs for K-12 districts and higher-education institutions for more than 15 years. The platform is built for the realities education IT teams face: a free 25-user trial that lets you start small, monthly multi-channel campaigns, education-realistic template categories (SIS, parent communication, grant funding, payroll, SSO), auto-assigned just-in-time remediation training, role-segmented reporting that maps to board cohorts and pricing that fits inside a district tech budget.

Start a free trial covering up to 25 users - no credit card - or contact us about district and university pricing. The pricing page covers the full plan structure. For more on how the program documentation flows into your insurance renewal, see what cyber insurers ask about phishing training.

This post is informational and does not constitute legal, FERPA or compliance advice. Consult counsel and your privacy officer for guidance on your specific obligations.

Related industry guides

8apr