A New Front Line: AI & 'The Com'

The 60-Second Briefing

• Safer Internet Day 2026: The theme is "Smart Tech, Safe Choices," focusing on the responsible use of AI. We need to move from merely using AI to verifying it, teaching pupils that these models can be confidently wrong.
• "The Com": A decentralised, English-speaking ecosystem of adolescent cybercriminals is targeting UK schools. Driven by "clout" rather than just money, they use social engineering to bypass technical defences.
• MFA Vulnerability: Authenticator apps are no longer bulletproof. New Adversary-in-the-Middle kits can intercept your 6-digit codes in real time.
• Strategic Action: FIDO2 security keys are the only true defence against these attacks because they are cryptographically bound to the real URL.

As I sat in the office this first week of February, watching the status lights in the server room, I realised we had reached a fork in the road for school safeguarding.

This Tuesday marks Safer Internet Day, and for the first time, the conversation has moved entirely past "don't talk to strangers". The 2026 theme is "Smart Tech, Safe Choices," and it centres squarely on the AI agents our pupils are interacting with every day.

I find the timing poignant. While we are teaching our pupils how to use AI ethically in the classroom, a much darker side of the digital world is actively recruiting them into a cybersecurity Cold War.

Verification as a Survival Skill

We have all seen the excitement around AI tutors, but this year's safeguarding resources from the UK Safer Internet Centre highlight a growing gap in pupil literacy.

The focus is no longer on banning these tools but on building digital resistance. It is on teaching pupils that AI is a tool, not a person, and that cognitive offloading – letting the machine do all the thinking – is a path to losing their own critical reasoning skills.

I have been telling some of my SLT colleagues that our new duty of care involves monitoring the emotional engagement pupils have with these bots. The DfE’s new safety standards even require products to detect signs of "learner distress" and flag high-risk prompts directly to DSLs.

The Threat of "The Com"

But while we focus on the positive uses of AI, we cannot ignore the "Weaponised Loneliness" report that dropped last week. It details a loosely organised, English-speaking network known as "The Com" (The Community).

This is not a traditional gang of adult hackers in some distant basement; it is a sprawling ecosystem of 11-to-25-year-olds who treat cybercrime as a clout-based social sport. They recruit through gaming platforms like Roblox and Discord, targeting neurodiverse or socially excluded children and grooming them into a toxic culture of digital violence.

What makes "The Com" a major problem for our sector is their native English language skills and cultural intuition. They are masters of social engineering; they don't need to hack their way in when they can talk their way in by impersonating an urgent pupil on a call to the IT Helpdesk.

Why Your MFA App is Failing

Most of us have spent the last few years moving staff away from SMS codes to authenticator apps. This was meant to stop SIM swapping, which is essentially a high-tech mugging where an attacker tricks a mobile provider into porting your number to their SIM card.

Once they own your number, they intercept your SMS reset codes and walk right into your accounts. While apps like Microsoft Authenticator solved that problem, they are now being defeated by a new nightmare scenario:

"The Com" uses Adversary-in-the-Middle (AitM) phishing kits. A senior staff member receives a convincing call from "the helpdesk" and is sent to a fake login page that looks identical to your real school portal. When the individual enters their password and the 6-digit code from their app, the attacker’s kit intercepts them instantly. Because they have the code in real time, they can log in to the real system before the code expires.

Authenticator apps and push notifications cannot stop this because the user is effectively handing the keys to a thief disguised as a locksmith. This is how major UK retailers and transport networks have been crippled recently. 

The only true defence is moving your inner circle (SLT, Finance, HR and IT admins) to FIDO2 hardware security keys. These physical keys are phishing-resistant because they are cryptographically bound to your school's actual URL.

The Physical Cost of Digital Failure

If you think this is all theoretical, just look at the post-mortem of the Higham Lane School cyberattack in Nuneaton at the beginning of January. This wasn't just about lost files; the attack deactivated their electronic gates and fire alarms, forcing a two-week total site closure because it was physically unsafe to open.

In the independent sector, where we are already managing the VAT control shock, we cannot afford this kind of operational paralysis. Insurers are now moving away from simple questionnaires to demanding audit-level proof of privileged access governance before they will even offer us a quote.

Conclusion

My advice to my peers this month is to stop being AI ostriches and start leading with a strategy of purposeful integration.

Trust no one and verify everyone, every time. I am also recommending a move to FIDO2 hardware keys for senior and high-risk staff. At roughly £30 per key, securing your high-value accounts is a low-cost, high-impact move.

Ultimately, cybersecurity in 2026 is a psychology game as much as a technical one. We must continue building those human firewalls by training our staff to spot social engineering, and we must protect our pupils by giving them the critical tools to navigate an AI-saturated world.

The cybersecurity Cold War is here, and Safeguarding 2.0 has begun. Let's make sure our schools are the safe havens our pupils need.

See you in the digital staffroom.