It seemed to come from an instructional coach in the rural Kentucky district. Its subject line: "Teacher and Staff Guideline Update — Please complete today" called for an immediate response. In two short, generic-sounding paragraphs, it asked staff to click on a link by the end of the workday to acknowledge newly revised, vaguely titled guidelines.
The 29 staffers who followed those instructions soon realized they'd fallen into a trap.
Cyber criminals who target K-12 schools often worm their way into district servers through innocuous-seeming emails, known as phishing attacks.
These messages — which may be easier than ever to craft convincingly in the age of generative artificial intelligence — frequently appear to come from another district employee, especially a top administrator, or a vendor.
They often aim to entice staff to click on a link to visit a spoofed website or download malware designed to steal credentials or sensitive data, or to lure them into otherwise compromise school devices or networks.
This email to Eminence employees, however, had a very different purpose.
When they clicked on the link, they were redirected to a page signed by students in a cybersecurity class taught by Jennifer Gilbert, a school librarian.
The site told them they'd clicked on a fake link in a faux-phishing email, sent as part of a districtwide initiative to "inform people about the dangers of phishing and ways to avoid losing their personal information."
Employees would receive further information about how to steer clear of real attacks in the future, the site promised. It also asked them to stay silent about the project, so that their colleagues wouldn't get an advanced warning of the faux phishing attempt.
HOW AI SUPERCHARGED THE FAUX PHISHING EMAIL
The Jan. 22 email was crafted by Gilbert's students at Eminence High School, with help from generative AI.
Gilbert believes the assignment will raise awareness of phishing attacks both for school staff, and for her students, whether they go into cybersecurity careers or not.
"There's just no way around it — everyone has to have basic cybersecurity education for society to be safe," Gilbert said.
The email ploy was the second one sent as part of the project. The first, sent in December, was also written by the students, but without AI help. It persuaded 14 staffers to click on the fake link.
The second email, crafted in part by AI, yielded more than double the clicks.
"It was so much more successful!" said Gilbert in a video interview.
"I'm not sure that I'd use the phrase 'successful,'" joked Larry Jesse, the district's technology director, who also participated in the interview.
PHISHING EMAILS ARE GETTING MORE SOPHISTICATED AND LIKELY TO FOOL PEOPLE
It's impossible to say just how many phishing emails are sent to K-12 school districts every day, much less how many of them are written with generative AI, said Doug Levin, a school cybersecurity expert and the national director of the K12 Security Information Exchange.
But there's no question phishing emails to K-12 staff have become increasingly sophisticated, he said.
"They're not just targeted to generic teachers. They're literally customizing the phishing lures for the individual school district or school that they're targeting," Levin said.
"They look pretty convincing," he added. "It used to be the conventional wisdom that you could spot a phishing email because it was poorly written. That's no longer the case."
That's likely at least in part because phishers get help from generative AI writing tools, Levin said.
That technology is "drop dead simple to use, even for folks who are not native English speakers," Levin said, noting that many hackers live abroad. "Schools, because they're public organizations, publish so much information online. It gives threat actors a leg up in trying to attack them."
The volume of phishing emails is high in Eminence, a district of 1,000 students about an hour drive from Louisville, Ky., Jesse said.
"We absolutely see phishing every single day," Jesse said. In his view, "it's mostly AI-driven."
Messages caught by district filters include hallmarks of writing crafted by generative AI: flat, generic tone, liberal use of double hyphens, Jesse said.
School district data can be a big score for cyber criminals, who can sell student and staff social security numbers and other sensitive information. The personal data of young children is particularly prized. Credit checks are rarely conducted on them, so the fraud may not be discovered for years.
Eighty percent of K-12 schools have been targeted but not necessarily compromised by ransomware in the past year, according to a survey of IT professionals conducted in 2023 by Sophos, a cybersecurity firm. That's a higher percentage than any other industry surveyed, including health care and financial services. (Ransomware attacks typically involve cyber criminals breaking into a network, stealing or encrypting sensitive data, and extorting hefty fees from a district in exchange for returning the information.)
Such attacks can cost districts big, both in dollars and lost instructional time.
More than one in ten educators say that their school or district had to close for at least a day sometime in the past five years because of a cyber attack, according to an EdWeek Research Center survey of 499 educators taken in December and January.
Eminence fights off thousands of cyber attacks from all around the globe daily. These often take the form of cyber criminals attempting to login to the districts network as the district superintendent, the chief financial officer, and Jesse himself, the technology director said.
During the 30-minute video interview with Education Week, hackers from Bulgaria, China, Mongolia, and Thailand attempted to login as Buddy Berry, the district superintendent, Jesse said.
BEWARE OF ANY EMAILS FROM OUTSIDE THE DISTRICT
In crafting their fake phishing message, Gilbert's students, "played fair," their teacher said. The class deliberately included red flags common to phishing emails.
For instance, if staffers had closely examined the email address the message came from, they would have noticed it was missing the period between 'eminence' and 'kyschools' that appears in all legitimate district email addresses.
Gilbert and her students were able to send the message using that fake domain name because Jesse reserved it. Cyber criminals often use spoofed addresses that include barely noticeable distinctions from the real ones, Jesse explained. So the district is "squatting" on that one, to prevent bad actors from snagging it, he said.
The tone of the message was vague and stilted. It wasn't written in the instructional coach's typically personable voice.
Another, more obvious clue: Both fake phishing messages included a bright red banner across the top that's become a feature of any email sent to Eminence from outside the district.
The banner reads, "Caution: This email originated from outside of Eminence Independent Schools. Do not click links or open attachments unless you recognize the sender and know the content is safe. This email DID NOT come from any staff email address within the district."
Berry and Jesse hope that the project encourages employees to be more suspicious of any email with that cautionary note, even if it appears to come from a trusted contact outside the district, such as a vendor.
"If it has a red bar, you should assume it's fake," Berry said. "I'm not saying they're all fake, but we do want that level of scrutiny."
LEARNING TO SPOT PHISHING EMAILS IS 'AN EXERCISE IN CRITICAL THOUGHT'
Gilbert and her students plan to keep sending the fake phishing messages. They've even created a districtwide competition, eliminating each staffer who falls for the ruse until only one, presumably cybersecurity savvy, district employee remains.
They're tracking staff progress through a bracket inspired by the Korean Netflix show 'Squid Game.'
Creating their own fake phishing emails, and using them to train teachers, offers students a great lesson in digital citizenship, a focus for the district for more than a decade, Jesse said.
"This is an exercise in critical thought," he said.
Students — and staff — need to learn, they can't "take everything that gets delivered to you digitally at face value," Jesse said. "You need to be vetting that source to make sure that you're not being duped."
At the same time, the district teaches students that AI "is here," Jesse said. "It is not going away ... You need to learn the ethical use of AI, when to utilize AI, and how to construct the prompts for AI to get the information that you need without completely handing your autonomy over to AI."
Could teaching students to write phishing emails have unintended consequences?
Levin admires Eminence's creativity. Years ago, districts would involve students in problems like phishing by having them create cybersecurity awareness posters, he said.
"This is leagues better," Levin said. "It's real. It's much more engaging. They're actually helping to lift up the community."
Still, he warned teachers and district leaders elsewhere to think carefully before following the Eminence district's lead.
While the project might go over well in Eminence's tight-knit rural community, teachers in other places might not take kindly to being fooled by their students.
"Context matters," Levin said.
Levin had another, darker observation: Districts that teach students to write phishing emails may ultimately regret it if those kids use their newfound hacking tricks against their school.
"You're actually giving them tools and techniques they can use themselves," he said.
Gilbert isn't worried.
The district's filters would have kept her class's faux-phishing emails from hitting staff inboxes, she said. Jesse had to specifically let them through.
Plus, before beginning the project, Gilbert spoke to her students at length about ethical and unethical uses of technology. Students and their parents signed an acceptable use policy before the course moved forward to activities like using AI to create a fake phishing email.
More people should learn the skills her students are developing through the phishing project and the cybersecurity course, Gilbert added.
"We need curious and intelligent people who are willing to poke and prod to discover where weak spots are," she said, in order to "tighten that up before someone with ill intent does."
© 2026 Education Week (Bethesda, Md.). Distributed by Tribune Content Agency, LLC.
