Education sector most frequent target of sextortion scams

Research by Barracuda has found that 55% of sextortion and blackmail phishing targets the education sector

Research by data protection company Barracuda has revealed that 55% of sextortion and blackmail phishing attacks the education sector, making it the most frequently targeted.

The overwhelming focus on the education sector is calculated, explained Barracuda’s report. Since educational institutions often have a large number of users, as well as a diverse and young user base that may be less likely to seek help and advice, education institutions are an obvious target for scammers.


Related news: In 2018, the Secureworks Counter Threat Unit discovered a large-scale phishing campaign targeting 76 universities located in 14 countries


A sextortion scam is one where stolen passwords are used by attackers to trick users into paying Bitcoin to avoid compromising personal information being leaked. Such information can include video and images taken from the individual’s computer.

Attackers harvest email addresses and passwords, and use them in a threatening email to add to the victim’s fears. Often, attackers will spoof their victim’s email address and pretend to have access to it in order to make the attack even more convincing. Payment demands usually involve Bitcoin, with wallet details included in the message.

Being able to recognise attacks and feel comfortable reporting them should be part of any education institution’s security awareness training programme

Emails often originate from high-reputation senders and IPs, such as previously compromised Office365 and Gmail accounts, and so pass through gateways to the victim’s inbox.

The attackers’ emails rarely contain malicious links or attachments that trigger traditional gateways, and messages will often be varied and personalised to make it difficult for spam filters to detect them.

Security awareness training is essential to help guard against students and staff becoming embroiled in such scams, says Barracuda. Being able to recognise attacks and feel comfortable reporting them should be part of any education institution’s security awareness training programme.

More information on how to guard against such phishing scams can be found at blog.barracuda.com