Recently, several schools reported receiving a threatening email from an anonymous account, claiming planted devices and compromised IT systems. While many of these incidents prove to be hoaxes or part of mass “swatting” campaigns, every threat should be approached with caution and structure.

At First 5 Consulting, we work closely with schools to strengthen their emergency preparedness. Below are best practices your leadership team can follow when evaluating and responding to communications of this nature:

1. Recognize Common Indicators of Hoax or Swatting Emails

Threatening emails often share certain red flags:

• Generic or newly created accounts.

• Mass distribution across multiple schools or institutions.

• Errors and inconsistencies, such as misspellings or vague wording.

• Lack of direct targeting, with no specific references to your school.

While these signs alone don’t confirm credibility, they provide important context.

2. Maintain Situational Awareness

Evaluate the totality of circumstances:

• Have there been suspicious observations on campus?

• Has IT detected unusual network activity?

• Are there physical indicators, such as unattended items or tampering?

Context is key — these factors help distinguish a hoax from a more serious concern.

3. Convene Your Crisis or Safety Leadership Team

Bring together administration, facilities, IT, and security staff to share information, document facts, and align next steps.

4. Collaborate with Peer Schools

Reach out to nearby or network schools. They may have:

• Received the same or similar messages.

• Additional information about the threat’s origin or scope.

• Regional insights that can aid your decision-making.

5. Engage Law Enforcement When Needed

If concerns persist, provide local law enforcement with:

• The original message, including email headers. An Email Header is: a hidden section of an email that contains technical details about how and where the message was sent. It includes information like the sender's IP address, the servers it passed through, and the time it was sent. Email headers can help law enforcement or IT teams trace the source of a message

• Any site-specific concerns or suspicious activity.

• Observations from staff or peer schools.

Law enforcement may already be aware of the campaign and can help verify credibility.

6. Decide Next Steps with Key Stakeholders

After gathering input, determine the most appropriate response. Options include:

• Increased monitoring and supervision.

• Internal staff messaging.

• Adjustments to the school day or security posture.

• Emergency procedures, if supported by credible evidence.

Final Thoughts

Mass email threats are disruptive, stressful, and unfortunately on the rise. By taking a structured, deliberate approach, schools can minimize disruption while ensuring safety remains the top priority.