Wilson said there are several types of back-to-school scams. First, there's phishing, to which education credit unions are especially susceptible at the start of a new school year. Cybercriminals who obtain teachers' union email lists can hit members with spear phishing attacks, which requests a union member update his or her information and lures him or her to a fake page designed to capture usernames, passwords and personal credentials.

Second, a tuition wire scam coaxes money out of victims by convincing them they have an unpaid tuition bill.

“We have seen scams where people posing as the school send an email soliciting bank transfer details for tuition,” Wilson warned.

Finally, during the back-to-school months, criminals are likely to instigate a common email fraud scheme that involves sending a message that promises a reward, such as a gift card from a major retailer. Criminals ask their victims to complete a survey, which includes personal information such as home addresses, Social Security numbers and birthdays. Once the fraudsters have enough details, they use the survey applicant's data to apply for credit cards.

More sophisticated criminals use a similar tactic to install malware on the victim's computer. This typically involves the use of an undetected key logger that captures information typed by the victim – including URLs, user names and passwords – and sends it off to the criminal.

Wilson added that cybercriminals can easily spoof websites that lack email authentication by engaging in a little social engineering.

Agari builds data-driven security solutions that eliminate email as a channel for cyberattacks and enables businesses and consumers to interact safely. Wilson maintained that by working with Agari, companies can take back control of their domains and prevent spoofing.

“We leveraged some open standards that allow people to authenticate their email,” he said.

These open standards include Sender Policy Framework, Distributed Component Object Model, and Domain-based Message Authentication, Reporting and Conformance.

DMARC is an email validation system designed to detect spoofed emails by allowing receiving mail exchangers to ensure incoming mail, including their attachments, originates from an authorized domain. It also confirms whether the email has been modified while in transport.

Very large financial institutions, while targeted often, appear to have strong email security postures. But Wilson pointed to an upswing in targeted attacks against credit unions, including large ones.

One of Agari's customers is a California credit union. Agari monitored all emails originating from the credit union and other legitimate senders. Many organizations outsource email senders, especially for marketing or recruiting campaigns.

Afterwards, Agari mapped out the credit union's entire email ecosystem.

“We figured out which sources of mail were legitimate and which were not, and if they were following the proper authentication standards,” he said.

Agari then helped the credit union publish the DMARC reject policy once all the emails were properly identified using the SPF and DCOM standards.

“If I can't pose as that credit union anymore in an email, the criminal is going to just move up the street and take the next credit union that isn't protected,” Wilson said.

The hosted, cloud-based DMARC service blocks phishing attacks on behalf of Agari's customers, which include some of the largest financial institutions, social media companies and consumer brands in the world.

“Primarily, it is about understanding your entire email ecosystem, making sure it is authenticated and then flipping the switch so nobody else can pose as you,” Wilson added.

He also revealed that in 2014, Agari blocked about 18 million CryptoLocker infections, a form of ransomware.