Early October 2025, Ann Arbor Public Schools (AAPS) students got their accounts compromised and sent emails to other AAPS students that were later identified as phishing.
Phishing emails are malicious emails that attempt to steal the recipient’s personal information through suspicious links, attachments, and more. The phishing email contained a table asking the user to open the attachments, which turned out to contain malware. Many of the messages sent used titles like “Review And Sign Document Attached” and other generic subjects. They appeared to be from AAPS students, deceiving some people.
“It was really frustrating and annoying,” an anonymous Huron student, whose account was compromised by the incident, said. “If you get sent something strange and [Google] gives you a scam warning, listen to it.”
AAPS Information Technology Department (ITD) commented on the incident, saying that the department takes cybersecurity very seriously by implementing “a variety of layered cybersecurity best practices to ensure our district stays safe and secure,” as ITD representative Heather Kellstrom said.
“It appears that several student accounts were used to send malicious or impersonating emails, but some of those emails disappeared after several days,” Kellstrom said. “A phishing type of email was sent to a grouping of end-users. The phishing email leveraged addresses from each user’s account to perpetuate the phishing email. The email was flagged by both our tech systems and also end-users.”
Kellstrom said that AAPS constantly scans each email sent to the district as clean, spam or a threat. When an email that is sent is later identified as phishing scam and meets the system requirements, the system “[isolates] the email from end-users’ inboxes as a protection measure to end-user account credentials.”
Kellstrom furthermore said that phishing campaigns are created to “exploit human psychology.” She also said that in AAPS, the tech team uses a “layered approach” to deal with phishing campaigns.
“Prior to an email entering our ‘@aaps.k12.mi.us’ domain, we have implemented industry standards to secure our email servers,” Kellstrom said. “Any email that doesn’t have the necessary matching server criteria and digital signatures is marked as Phishing or SPAM.”
The standard industry security Kellstrom mentioned has several layers.
First off, before an email reaches the domain “@aaps.k12.mi.us” or “@a2schools.org,” AAPS servers automatically scan the message for necessary headers that many scam emails don’t include.
“[Sender Privacy Feedback (SPF)] uses DNS TXT records to list what our specific email servers are,” Kellstrom said. “DomainKeys Identified Mail [also] adds a digital signature to our emails to validate our domain and our domain servers.”
AAPS ITD is not the only support desk that focuses heavily on cybersecurity.
“For more than 20 years, the Department of Homeland Security (DHS) and the Cybersecurity & Infrastructure Security Agency (CISA) have spotlighted the importance of taking daily actions to reduce risks when working online and using connected devices through an annual coordinated theme across the U.S,” Kellstrom said.
While the scam incident died down due to AAPS intervention, it is still important to recognize the importance of cybersecurity and how it helps stop malware from coming into the district.
“Important end-user best practices [to avoid phishing] include: recognizing and reporting phishing, requiring strong passwords, using Multifactor Authentication, updating software, and getting our internal and external stakeholders involved in being cybersafe on the forward-facing side of our organization,” Kellstrom said.
The students who want to report the cybersecurity incidents can email family_techsupport@aaps.k12.mi.us or report using the IncidentIQ system according to the instruction provided by the AAPS IT department.
“[If you receive a scam email,] do not respond to the email,” Kellstrom said. “Even clicking ‘unsubscribe’ can even confirm that your email address is active, leading to more scam emails.”