The scenario
An HR coordinator processed a paycheck-routing change that came from a teacher's actual email address. Two pay cycles later the teacher reports a missing paycheck. The account has been quietly forwarding payroll and finance threads for six weeks.
First 60 minutes
- Disable the compromised account and revoke all OAuth tokens / app passwords.
- Pull mailbox audit logs for the last 90 days — look for inbox rules, forwarding rules, and OAuth grants.
- Notify payroll to halt any pending direct-deposit changes that came from email in the last 60 days.
- Reverse the fraudulent ACH/wire if the receiving bank can still claw back (the first 72 hours are the window).
- File an IC3 report (US) or CAFC report (Canada).
- Notify cyber-insurance carrier — BEC is the most-claimed K-12 cyber loss.
Decisions to make
Variant
- — Gradebook variant — see SIS compromise playbook for grade/transcript review.
- — Payroll-redirect variant — finance department, HR, and counsel in the same call.
Who to call
- Cyber-insurance carrier
- IC3 (US) or CAFC (Canada)
- K-12 MS-ISAC
- Local law enforcement
- State breach-notification regulator if W-2 / SSN data was accessible
FAQ
Is one teacher's mailbox enough to trigger a district-wide reset?
Often, yes. BEC operators reuse stolen credentials across the tenant and pivot to finance / HR / superintendent accounts within days. Force MFA enrollment district-wide if it isn't already mandatory.