Only 15% of the UK’s top 20 universities have enforced the recommended and strictest level of DMARC (Domain-based Message Authentication, Reporting and Conformance) protection, which defends learning communities from cybercriminals looking to carry out email fraud, according to research published today by cybersecurity and compliance firm Proofpoint.
The lack of adequate protective measures across the UK higher education (HE) sector is cause for concern, since the study shows that even the top-performing institutions in the country are not doing enough to keep their communities safe online. The new study shows that students, staff and suppliers from 17 (85%) of the nation’s top 20 universities have been left vulnerable and open to email fraud.
According to the university admissions service Ucas, a record number of students are set to attend university this Autumn. This, paired with the stress and unfamiliarity of newly-implemented blended learning methods (mixing both in-person and virtual teaching) and COVID restrictions still hindering international travel, makes the new semester the ideal time for cybercriminals looking to exploit the surge in email communication to trick students with phishing emails.
“Our research has shown that many UK universities are still exposing people to cybercriminals on the hunt for personal and financial data by not implementing simple, yet effective email authentication best practices” – Adenike Cosgrove, Proofpoint
“Our research has shown that many UK universities are still exposing people to cybercriminals on the hunt for personal and financial data by not implementing simple, yet effective email authentication best practices,” said Adenike Cosgrove, cybersecurity strategist at Proofpoint. “Email continues to be the vector of choice for cybercriminals and the education sector remains a key target.”
Domain spoofing is frequently the choice mode of attack, allowing cybercriminals to pose as well-known organisations and companies via an email that appears to be from a seemingly legitimate email address. These are designed to mislead people into clicking on links or sharing personal information which can then be used to steal money or identities.
It can be hard for an ordinary internet user to identify a fake sender from a real one, but with the support of strict DMARC, universities can actively block harmful emails from reaching their targets.
Proofpoint conducted a similar study in 2019 ahead of A-level results day, and while some progress has been made, few universities have implemented the recommended levels of protection.
That said, more than two-thirds of the institutions analysed have taken the preliminary steps needed to keep their communities safe from email fraud, with 70% publishing a DMARC record. This is a 100% increase since 2019, but demonstrates that, while many top universities have started their DMARC journey, more still needs to be done.
Of the 20 universities examined in the study, six had no DMARC record at all, meaning they have not yet taken any steps towards implementing this form of authentication.
Cosgrove continues: “Organisations in all sectors should deploy authentication protocols, such as DMARC, to shore up their email fraud defences. Cybercriminals pay close attention to major trends and will drive targeted attacks using social engineering techniques such as impersonation, and universities are no exception to this. As the university term begins, students and staff must be vigilant in checking the validity of all emails, especially when levels of uncertainty and anticipation are higher at the beginning of a new term.”
Proofpoint recommends students and other individuals follow the below top tips to remain safe online:
- Use strong passwords: do not reuse the same password twice. Consider using a password manager to make your online experience seamless, whilst staying safe. Use multi-factor authentication for an added layer of security.
- Watch out for ‘lookalike sites: attackers create ‘lookalike’ sites imitating familiar brands and institutions. These fraudulent sites may pose as a credible establishment, be infected with malware, or steal money or credentials.
- Dodge potential phishing and smishing attacks: phishing emails lead to unsafe websites that gather personal data, like credentials and credit card data. Watch out for SMS phishing too —aka ‘smishing’ — or messages through social media.
- Don’t click on links: if receiving correspondence from a university over email, Proofpoint recommends going directly to the university’s website by typing in the known web address into the browser.