It’s an unfortunate reality that the education sector is a prime target for phishing scams; in fact a recent freedom of information (FoI) study conducted by Duo Security revealed that 70% of UK universities have fallen victim to phishing attacks in the past year. Phishing is one of the most cost-effective ways for hackers to gain access to user credentials: phishing emails will typically include a link which will direct the user to a website where they are instructed to enter personal information. Once this information is submitted to the phishing page, attackers can use the information to gain access to applications, steal personal data, or profit by selling this data to other criminals. Worryingly, phishing is also one of the main vehicles through which hackers will deliver ransomware onto a network. The barrier to entry is also very low, as using a malicious phishing tool doesn’t demand a great deal of skill.
What makes the education sector such a prime target is, no doubt, its large, diverse user base – including students, faculty, governors and even parents. Universities hold a large amount of information such as sensitive personally identifiable information (PII), payment details and valuable grant funded research all of which can prove to be valuable to motivated attackers.
Awareness is Key
Attacks are becoming increasingly sophisticated, mimicking legitimate emails to dupe their targets into clicking on various links. Earlier this year, the UK’s Fraud and Cybercrime Centre, Action Fraud, warned of a phishing scam specifically targeting UK university staff. The bogus emails claimed that the recipient was due for a pay increase, then directed them to click on a link and enter financial details and university login credentials. This happens more than you might think: recent analysis from simulated phishing campaigns* with more than 80,000 recipients found that 62% of campaigns captured at least one person’s username or password. Nearly half, 44%, of recipients opened the email and 25% of recipients clicked the link.
While employees in corporate organisations may have received awareness training, many students won’t have the same experience in identifying and reporting phishing attacks. Similarly, unless you’re involved with the information security industry and can stay on top of the ever-evolving tactics attackers use, you’re less likely to recognise the tell-tale signs of a phishing email.
To overcome this, universities should create internal awareness and education programmes within their institution. Teaching users how to spot, report and prevent phishing attacks and emails can be a great way to reduce the risk of falling prey to such attacks. Universities can assist this by setting up dedicated web pages that flag ongoing phishing attacks for students and, whenever a phishing attack is detected as targeting their university, the IT Team can send out alerts for students. Universities must have a good channel of communication for this to be beneficial for both parties and need to make sure these alerts are not a form of one-way conversation, but instead, have an open dialogue with users.
From a technical point of view, it’s often difficult for IT teams at universities to set different controls on computers and mobile devices to protect against phishing attacks. In a corporate environment, IT teams can install controls and security on employee workstations whereas IT teams in the education sector need to strike a balance between a student’s privacy, and the control and visibility of devices connecting to the network. However, this comes with its drawbacks. The network environment within education can be rife with security vulnerabilities, from outdated systems to compromised student devices. Students who connect with their personal devices introduce a large attack surface that can be near impossible to monitor and control.
Avoiding the Phishing Trap
There are multiple security strategies that institutions can put in place within their networks to help prevent users from falling victim to a phishing email.
â— Adopt a defence-in-depth strategy – Success depends on having layered security controls that are placed throughout a system to keep its users secure. This, coupled with education for users, can be a step in the right direction.
â— Go back to basics – Universities should make sure their users have strong passwords and know how to identify rogue links and emails.
â— Implement two-factor authentication (2FA) on critical applications – Phishing attacks typically aim to steal users’ credentials which are then used by attackers to access applications. Implementing a 2FA solution ensures that stolen credentials can’t be used by attackers to access an institution’s most critical applications.
â— Keep systems up-to-date – Attackers prey on the vulnerabilities of un-patched and out-of-date software. Identifying any old software on corporate devices, and encouraging students and faculty staff to update software on personal devices can reduce the risk of compromise.
Vigilance is key and educational institutions need to focus on effective defence strategies to reduce the risk of credential theft via phishing. It’s important to have the cyber hygiene basics in place, and, with such a large and diverse user base, educating students and staff in how to identify suspicious emails will also help to safeguard against future phishing attempts.