December 31, 2025 - Concerns have been raised after an education-related email address was reportedly used to send spam messages, prompting questions about cybersecurity in academic institutions.

On December 26, a Reddit user shared that they received an email claiming to be from a digital bank, stating their device had been “registered.” The message appeared to come from “Maya Alerts” but was actually sent from an address registered to the Polytechnic University of the Philippines (PUP). The sender was identified as “istecsecretariat@pup.edu.ph.”

The email included a disclaimer instructing recipients to notify the sender immediately and delete the communication if received in error. It further stated: “The Polytechnic University of the Philippines is neither liable for the proper and complete transmission for any delay in its receipt.” The Reddit user reacted by posting: “Scammer from PUP? Nakalimutan magpalit ng email?” suggesting that the sender may have forgotten to change the originating address before sending the fraudulent message.

This incident follows a broader pattern of phishing attempts targeting educators and institutions. In November 2025, the Teachers’ Dignity Coalition warned that over 100 teachers had been victimized by phishing scams using official Department of Education (DepEd) email accounts. Messages urged teachers to verify accounts by registering phone numbers or clicking suspicious links, leading to financial losses.

DepEd has since issued advisories reminding personnel not to click on unknown links or respond to unsolicited emails. A March 2025 memorandum emphasized vigilance, noting that phishing emails falsely claim accounts are at risk of deletion and urge immediate verification.

Cybersecurity experts stress that the misuse of institutional email addresses undermines trust and exposes both staff and students to risks. They recommend stronger authentication protocols, regular monitoring of email systems, and awareness campaigns to help users identify suspicious communications.

The PUP case highlights the urgent need for educational institutions to strengthen digital safeguards. With scammers increasingly exploiting trusted domains, authorities warn that vigilance and proactive measures are essential to protect the integrity of academic communications.

If Even School Emails Can Be Used, No One Is Safe Anymore

This incident signals a disturbing shift in how scams operate. This is no longer about random messages from suspicious accounts. This is about trusted systems being turned against the people who rely on them.

When an academic email domain can be used to send scam messages, the old rules of digital safety no longer apply. The usual advice to “check the sender” loses its power. The assumption that institutional emails are safe is broken. That should alarm everyone.

Scammers are no longer just pretending to be banks or delivery services. They are infiltrating spaces built on trust. Schools, hospitals, and government offices are becoming unwitting platforms for fraud. That is a new level of vulnerability.

This changes the stakes. If students and teachers cannot trust their own institutional emails, then digital communication itself becomes suspect. Fear and doubt replace confidence, and that weakens how institutions function.

The response cannot stop at warnings to users. The burden must shift to institutions to harden systems, audit access, and respond transparently when breaches occur. Silence only feeds suspicion.

The reality is stark. If scammers can weaponize school domains, no sector is immune. The question now is not who might be targeted next, but who is prepared and who is pretending this is still business as usual.