Using a mix of identity deception, domain spoofing, credential theft, and bank fraud, scammers are taking advantage of soft targets in the U.K.’s education sector.

The U.K.’s Education and Skills Funding Agency (EFSA) has released a new update that includes details around both increases in phishing attacks against education providers and phishing scam specifics.

According to the update, the scam is focused on tricking users into giving up credentials to cloud-based applications with the intent of repurposing those credentials to commit fraud against a vendor doing business with the educational institution.

The EFSA recommends being “alert to emails containing seemingly legitimate or secure links” and checking “the sender of an email is genuine before, for example, sending passwords, data or payment.”

These recommendations are just the tip of the iceberg when it comes to educating users to be vigilant against phishing attacks. Organizations should look to employ Security Awareness Training to elevate the user’s understanding of attack techniques and how to spot malicious web or email content. Continual training with phishing testing enhances training by providing a feedback loop to IT and executives, helping them to better understand what parts of the organization are putting them most at risk.