Fake emails and how machine learning can help intercept them

Armen Najarian, CMO at Agari, discusses the threat of phishing emails to universities, and how machine learning can be employed to help thwart them

Educational institutions can find themselves, their students and partners targets of cyber fraudsters in myriad ways. From targeting students to gain access to university systems, to spoofing suppliers to induce payments, email is the most common method criminals use to defraud universities – and methods are becoming ever more sophisticated. 

For example, well-known phishing campaigns use spoof emails, appearing to come from a university’s Finance Department, to induce students to click a link with the promise of receiving a funding award. More recently, Iranian hackers used phishing emails sent to students across 14 countries, including the UK, to gain access to research and library resources. The estimated cost of this attack to the universities is £2.6bn.

In fact, in August 2018 Action Fraud issued a warning that UK universities are increasingly being targeted by cyber criminals spoofing university email addresses to defraud suppliers. Fraudsters imitating one university’s address led to a total victim loss of over £350,000.

Thankfully, the technological solutions designed to prevent such attacks are becoming more sophisticated, and more readily available.

Free standards backed by government are a front-line defence

For example, government-backed DMARC (Domain-based Message Authentication, Reporting, & Conformance) is a free email security standard designed to combat email spoofing.

The benefit for universities is that DMARC provides email recipients with proof that the sender is truly from their institution. This means universities can protect their email domains and gain visibility on where their domains are being used fraudulently.

Adopting DMARC should be the first step university IT leaders take to protect against email spoofing and phishing. In fact, it is now possible to easily check which universities are using DMARC. That’s worth considering if you are part of an institution not listed – think about who else can see that and whether they might categorise your institution as an easy target.

Adopting DMARC should be the first step university IT leaders take to protect against email spoofing and phishing.

The success of DMARC has led to a consortium of industry leaders, including Agari, Google, Microsoft and Yahoo! to further developing this technology. BIMI (Brand Indicators for Message Identification) is a new email standard that enables organisations to assign their logo visibly to emails and other online communications as a badge of authenticity. Not only does this help people easy spot and avoid fraudulent email, it also gives university marketers a new opportunity to put the university’s brand in front of current and potential students.

Universities keen to adopt the latest email standards can join BIMI’s beta tests and benefit early from this new security standard.

While DMARC and BIMI adoption should be considered a first-line defenceagainst email attacks, this tool only goes so far. It cannot, for example, protect against Business Email Compromise (BEC) attacks from third-party senders including vendors and supply chain partners. These sophisticated methods of social engineering are becoming the most popular method of attack used by cyber criminals.

Grooming and impersonation are impervious to traditional filters

BEC attacks see fraudsters convincingly impersonate a colleague, often a senior department head, to get an employee to transfer funds or sensitive information. These are highly targeted attacks, not the easy-to-spot mass attempts of traditional phishing campaigns.

BEC spoofers come armed with abundant information about their victims and so can create emails that are convincing in their detail and insight. Using social media, university news and reports available online, they can produce credible, perfectly targeted emails that are almost impossible for the receiver to tell apart from the emails they usually receive from colleagues or partners. Sometimes a BEC attack involves meticulous grooming over weeks or even months to gain the trust of an unsuspecting mark.

This detailed and informed targeting makes it very difficult for traditional spam filters and basic email security tools to identify and block these messages. It also makes it very hard for the recipient to spot the signs of a fake.  

Is machine learning making the grade?

This is where next-generation security tools come into their own. With much hype around AI and machine learning (ML), email security is one area where the hype has been translated into practical tools.

With much hype around AI and machine learning (ML), email security is one area where the hype has been translated into practical tools.

While criminals are becoming adept at email-based imitation, there are still behavioural signals that give them away. These signals may be too subtle for the average human eye to recognise, but using data analysis and machine learning, these subtle signals become red flags.

However, machine learning is not an instant miracle solution. It requires being fed the correct data, trained in the right way. A machine learning solution that has been given data that is outdated, incomplete, inaccurate, or too low in volume will be unable to make the right connections and identify patterns effectively.  

Equally it would be a mistake to try and train a machine learning solution based on spotting the use of certain keywords and email structures. With criminals continually evolving their tactics, any lessons learnt from this data would quickly become outdated and useless.

As such, smart ML-powered security solutions will focus on identifying what ‘good’ email behaviour looks like rather than focusing on only the ‘bad’. In an environment such as a university, such ‘good’ behaviours will follow patterns that ML technologies can use to understand the DNA of the sector’s email environment. 

When considering tools to protect staff and students against ever-more sophisticated attacks, a good place to start is to explore how the solution is adopting and embracing AI and machine learning to keep apace with new threats. While simple solutions may provide a base-level of protection against common phishing attempts, they won’t deal with an increasingly targeted approach by criminals.

With UK universities leading much of the research into future security technologies, conversely it is often hard for their IT departments to keep up with real-world demands of maintaining security in the face of evolving attacks. The importance of working with experts and partners who can help manage this new world cannot be underestimated. 

Gone are the days of universities alone on campuses with academics in ivory towers. IT leaders on the front line know better than anyone that when it comes to cybercrime, the gates are very much open, and they must be the keepers that defend students, staff, funds and vital research alike.

Free live webinar & QA

The digital difference - Build a culture of reading with ebooks & audiobooks

Free Education Webinar with OverDrive

Friday, June 24, 2PM London BST

In this webinar, hear from Havant Academy Librarian Joanna Parsons to learn how she uses ebooks and audiobooks to help boost reading among her secondary students.