For many business leaders, September marks a double transition. The kids are back at school, and you’re back to full-speed work mode after the slower pace of summer. But while you make sure uniforms are washed and lunch boxes packed, you also need to focus on catching up with customers, re-energising teams, and pushing towards year-end targets. Cybercriminals use this time of multiple distractions to ramp up their activity and get ready to exploit any weakness.
In fact, the back-to-school season brings a very particular set of cybersecurity risks that business owners and senior leaders often overlook. These threats can affect your personal IT set up, but also your business’s IT set up, especially if your team works from home and blends personal and professional accounts, devices, and workflows.
Why September is prime time for cybercriminals
At ERGOS, we often remind people that hackers don’t just attack technology. They attack behaviours, moments of distraction, and the points in life where we’re most likely to let our guard down. That makes the start of the school year a perfect storm for phishing and social engineering attacks:
- Behaviour changes create openings. You’re suddenly dealing with new school timetables, forms to fill in, fees to pay, and messages from teachers or administrators you may not know personally.
- Urgency and distraction make mistakes more likely. Your inbox is full, your phone keeps pinging, and you’re juggling work deadlines with family logistics.
- Legitimate-looking requests lower your guard. A payment reminder for school meals or a form to “update emergency contacts” sounds reasonable… until it isn’t.
Criminals know this, and they tailor their attacks to blend in with these seasonal communications. The result? Emails and texts that look uncannily genuine, designed to trick you into clicking links, handing over credentials, or installing malware.
The new twist: AI-powered impersonation
Until recently, phishing was mostly about crude emails with bad grammar. Today, thanks to AI, scams can be frighteningly convincing. Deepfake audio, for instance, could let an attacker mimic the voice of your child or their school administrator. A carefully crafted voicemail could claim there’s an urgent issue with a trip, fee, or timetable, asking you to respond quickly which could result in you not checking details.
It’s not hard to imagine AI-generated videos or doctored images entering the mix too. While there hasn’t been widespread use of these tactics in the school context yet, the technology is here, and the cost for attackers is dropping fast.
Why this matters for your business
The boundaries between personal and professional tech use are blurrier than ever. Maybe you access business emails from your personal laptop, or you log into a company platform from the same phone you use for school WhatsApp groups. And if you don’t, maybe someone in your team does.
A phishing attack that compromises your personal account can open a door to corporate systems and cybercriminals know it.
One click on a bogus “school” link could lead to:
- Credential theft if you reuse passwords between personal and business accounts.
- Device compromise if malware is installed on a phone or laptop that is also used for work.
- Supply chain risks if an email or messaging app is hijacked to target colleagues, clients, or suppliers.
In other words, a “harmless” personal scam can become a costly business breach.
How to protect yourself (and your business)
The good news is that with a few deliberate habits, you can dramatically reduce your risk, safeguarding both personal and business data.
Slow down before clicking
Cybercriminals thrive on urgency. If an email or message demands immediate action, take a breath. Check the sender’s address carefully, look for inconsistencies, and compare with past, legitimate communications.
Use trusted links, not email links
If you need to log into a parent portal or make a payment, don’t click the link in the email. Instead, use a bookmark you’ve saved previously or type the address manually. This bypasses fake lookalike websites.
Separate work and personal devices
Where possible, keep work accounts on work devices and personal accounts on personal ones. If you must use one device for both, make sure you have strong endpoint protection installed.
Enable multi-factor authentication (MFA)
Whether it’s your business systems, personal email, or a school payment account, MFA adds a critical layer of security.
Educate your family and your team
Kids aren’t immune to scams, and neither are employees. Share examples of suspicious messages and explain the red flags to watch for. The more people around you who can spot a fake, the safer your environment becomes.
Review your password habits
Avoid reusing passwords between school, personal, and work accounts. A password manager can make it easier to maintain strong, unique credentials.
The leadership mindset shift
For busy business leaders, the temptation is to treat personal cybersecurity as a “home issue” and corporate cybersecurity as something for the IT team to handle. But the reality is that your personal habits are part of your organisation’s attack surface. If you’re distracted, tired, or rushing during the school run, you’re more vulnerable — and so is your business.
Have a safe September
The back-to-school period will always be busy and a bit stressful. But with awareness and a few practical measures, you can stop cybercriminals from adding to the chaos.
Slow down. Verify before you click. Keep work and personal systems separate where you can. And remember: a moment’s pause now could save you from a major security incident later.
After all, the start of the school year should be about fresh beginnings and new opportunities, not falling for a scam that could derail your business plans for the rest of the year.
—
Check out our video with the cybersecurity expert from Connectwise to explore this topic further.