Skip to main content
All playbooks

Playbook

Teacher email / BEC

Compromised teacher mailbox — gradebook variant (transcripts) and the payroll-redirect variant (paycheck reroute).

The scenario

An HR coordinator processed a paycheck-routing change that came from a teacher's actual email address. Two pay cycles later the teacher reports a missing paycheck. The account has been quietly forwarding payroll and finance threads for six weeks.

First 60 minutes

  1. Disable the compromised account and revoke all OAuth tokens / app passwords.
  2. Pull mailbox audit logs for the last 90 days — look for inbox rules, forwarding rules, and OAuth grants.
  3. Notify payroll to halt any pending direct-deposit changes that came from email in the last 60 days.
  4. Reverse the fraudulent ACH/wire if the receiving bank can still claw back (the first 72 hours are the window).
  5. File an IC3 report (US) or CAFC report (Canada).
  6. Notify cyber-insurance carrier — BEC is the most-claimed K-12 cyber loss.

Decisions to make

Variant

  • Gradebook variant — see SIS compromise playbook for grade/transcript review.
  • Payroll-redirect variant — finance department, HR, and counsel in the same call.

Who to call

  • Cyber-insurance carrier
  • IC3 (US) or CAFC (Canada)
  • K-12 MS-ISAC
  • Local law enforcement
  • State breach-notification regulator if W-2 / SSN data was accessible

FAQ

Is one teacher's mailbox enough to trigger a district-wide reset?

Often, yes. BEC operators reuse stolen credentials across the tenant and pivot to finance / HR / superintendent accounts within days. Force MFA enrollment district-wide if it isn't already mandatory.