Only 15 percent of the UK’s top 20 universities have implemented the recommended and strictest level of DMARC (Domain-based Message Authentication, Reporting & Conformance) protection, which prevents cybercriminals from spoofing their identity and reduces the risk of email fraud.
That’s according to research from Proofpoint, which says this leaves students, staff and suppliers open to email fraud from 85 percent of the UK’s top universities.
With a record number of new students set to attend university this autumn, combined with hybrid approaches to online learning and COVID restrictions on international travel, this time of high stress and unfamiliar surroundings provides a prime opportunity for cybercriminals to capitalise on the increase in email communication to trick students with phishing emails.
“Our research has shown that many UK universities are still exposing people to cybercriminals on the hunt for personal and financial data by not implementing simple, yet effective email authentication best practices,” said Adenike Cosgrove, cybersecurity strategist, International, Proofpoint. “Email continues to be the vector of choice for cybercriminals and the education sector remains a key target.”
Cybercriminals regularly use the method of domain spoofing to pose as well-known organisations and companies by sending an email from a supposedly legitimate sender address. These emails are designed to trick people into clicking on links or sharing personal details which can then be used to steal money or identities.
Proofpoint says can be almost impossible for an ordinary Internet user to identify a fake sender from a real one. By implementing the strictest level of DMARC – “Reject” – universities can actively block fraudulent emails from reaching their intended targets, protecting their students, staff, and partners from cybercriminals looking to impersonate their brand.
Proofpoint conducted a similar study in July 2019 ahead of A-level results day, and although some progress has been made, few universities are yet to implement the recommended level of protection.
Key findings from the research include:
- Encouragingly, more than two thirds of universities analysed have taken initial steps to protect their customers from email fraud, wit 70% publishing a DMARC record. This is a 100% increase since 2019 and shows that many top universities have started their DMARC journey, however much more needs to be done to actively protect email users from attacks impersonating these universities.
- Only 15 percent have implemented the recommended and strictest level of DMARC protection (reject), which actually blocks fraudulent emails from reaching their intended targets, meaning 85 percent are leaving students open to email fraud.
- Of the 20 universities analysed, 6 had no DMARC record, meaning they have not taken any steps towards implementing this simple yet powerful form of authentication.
Cosgrove added: “Organisations in all sectors should deploy authentication protocols, such as DMARC, to shore up their email fraud defences. Cybercriminals pay close attention to major trends and will drive targeted attacks using social engineering techniques such as impersonation, and universites are no exception to this. As the university terms begins, students and staff must be vigilant in checking the validity of all emails, especially when levels of uncertainty and anticipation are higher at the beginning of a new term/”
Proofpoint recommends students and other individuals follow the below top tips to remain safe online:
- Use strong passwords: Do not reuse the same password twice. Consider using a password manager to make your online experience seamless, whilst staying safe. Use multi-factor authentication for an added layer of security.
- Watch out for “lookalike” sites: Attackers create “lookalike” sites imitating familiar brands and institutions. These fraudulent sites may pose as a credible establishment, be infected with malware, or steal money or credentials.
- Dodge potential phishing and smishing attacks: Phishing emails lead to unsafe websites that gather personal data, like credentials and credit card data. Watch out for SMS phishing too —aka ‘smishing’ — or messages through social media.
- Don’t click on links: If receiving correspondence from a university over email, Proofpoint recommends go directly to the university’s website by typing in the known web address into your browser.