The short version.
School-portal phishing has become a routine attack vector: emails or texts that look like they come from the school district route to a clone of the login page. Teens have been trained to comply quickly with school authority, so the success rate is high. Once a student account is compromised, the credentials are often reused across the family Google or Apple ID, the student's college applications, and any banking or payment accounts. Schools are slow to respond because the attacks come from outside the district network.
The platforms and contexts.
Email and SMS to school-issued addresses and personal phones. Some attacks come from compromised classmate accounts; some from external attacker domains designed to look like the district.
The timeline.
Credential phishing of student accounts has scaled rapidly since 2020, when COVID-era remote learning expanded the student-account surface area. Schools' security training rarely keeps up.
The core facts a parent needs.
- Real school IT never asks for passwords via email or text. Any message asking for a password is a phishing attempt — no exceptions.
- Two-factor authentication on the student account (via authenticator app, not SMS) blocks most credential-theft attempts even when the password is leaked.
- Password reuse is the multiplier. The phished school password is often the same as the personal Gmail, the iCloud account, and the bank login.
What's actually at stake.
- Loss of grades, assignments, and academic records during the disruption.
- Cascading account compromise: school → Gmail → iCloud → bank.
- Identity theft when the compromised accounts hold the teen's SSN, date of birth, and other PII.
The talk that lands — try it now.
Imagine you just learned your teen brushed up against this. You have 60 seconds before the conversation begins. What you say first decides whether the next 20 minutes opens the door — or slams it.
"What were you thinking? Give me your phone — now."
Panic + punishment in the same breath. The teen reads it as "every honest detail will be used against me." The phone comes; the truth doesn't.
What would you open with instead? Picture it for a beat — then…
"I want to ask about something — no trouble, I just want to understand it. Can we sit for five minutes?"
Curiosity, not court. Promise of safety in the first sentence. Time-bounded so it doesn't feel like a trap. Almost every teen says yes to five minutes.
Then, in those 5 minutes:
- Set up an authenticator app (Google Authenticator, Authy, or 1Password) on the school account. Most school districts now support it.
- Use a different password for the school account vs every other account. A password manager makes this practical.
- If credentials were entered on a phishing page, change every password that shares it — and run a security check on the linked email account.
Try saying it out loud once before you close this tab. Cool parents rehearse — yelled parents wing it.
Practice 200 more parent–teen scripts →Concrete next steps.
- Set up an authenticator app (Google Authenticator, Authy, or 1Password) on the school account. Most school districts now support it.
- Use a different password for the school account vs every other account. A password manager makes this practical.
- If credentials were entered on a phishing page, change every password that shares it — and run a security check on the linked email account.
See it for yourself.
School IT and district security office immediately · Notify any accounts that shared the password · FBI ic3.gov if money was taken · Identity-theft hotline (FTC 1-877-438-4338) if SSN was exposed.