Almost two thirds (65 percent) of the UK’s top 20 Universities have no published DMARC (Domain-based Message Authentication, Reporting & Conformance) record, making them potentially more susceptible to cybercriminals spoofing their identity and increasing the risk of email fraud for students.
With a record 40 percent (236,350) of UK school leavers applying for higher education places this year, students will be eagerly awaiting email correspondence regarding their applications on A Level results day (August 15).
However, research undertaken by Proofpoint says cybercriminals may be capitalising on the anticipation of email communication from Universities to potentially trick students with fraudulent emails.
“By not implementing simple, yet effective email authentication best practices, Universities may be unknowingly exposing themselves and their students to cybercriminals on the hunt for personal data,” said Kevin Epstein, VP of Threat Operations at Proofpoint. “Email continues to be the vector of choice for cybercriminals. Proofpoint researchers found that the education sector saw the largest year-over-year increase in email fraud attacks of any industry in 2018, soaring 192 percent to 40 attacks per organisation on average.”
Key findings from the research include:
- 65 percent of the top 20 UK University websites currently have no published DMARC record, leaving themselves open to impersonation attacks
- Whilst 35 percent of the top 20 UK Universities have published a DMARC record, only five percent have implemented the strictest and recommended level of DMARC protection, which actually blocks fraudulent emails from reaching their intended target
Epstein added: “Institutions and organisations in all sectors should look to deploy authentication protocols, such as DMARC to shore up their email fraud defences. Cybercriminals are always going to leverage key events to drive targeted attacks using social engineering techniques such as impersonation and universities are no exception to this. Ahead of A Level results day, student applicants must be vigilant in checking the validity of all emails, especially on a day when guards are down, and attentions are focused on their future.”
Reacting to the research, Rob Norris, VP Enterprise and Cyber Security at Fujitu, said: “In soon to be one of the busiest times for higher and further education in the UK, university applications are ripe for the picking for cyber criminals looking to spoof university domain emails. For those applying or waiting for important emails to come through, prospective students want to be safe in the knowledge that their university is doing everything possible to ensure that their personal data is not exploited.
“In order to effectively manage threats for the institution and individuals, universities must keep pace with cyber attack threats and the measures that can help organisations to protect against phishing and cyber attacks more effectively and efficiently. Whilst universities have a balance to strike between functionality and security, there are some simple measures that can be implemented that should be part of their security DNA as they build-in new ways to serve their students and potential students.
“With attacks on educational institutions on the rise, universities now need to offer the same protection and guarantees to their students as big companies do to their clients and customers.”
Best Practice for students:
- Students should check the validity of all email communication and be aware of potential fraudulent emails impersonating education bodies.
- Students should be cautious of any communication attempts that request log-in credentials or threaten to suspend a service or an account if a link isn’t clicked.
- Students should be following best practice when it comes to password hygiene, including using strong passwords, changing them frequently and never re-using them across multiple accounts.
For many organisations, the road to easing email fraud risk is paved with DMARC (Domain-based Message Authentication, Reporting and Conformance), an email protocol being adopted globally as the passport control of the email security world.
It verifies that the purported domain of the sender has not been impersonated. DMARC verification relies on the established DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards to ensure the email is not spoofing the domain. This authentication protects employees, customers, and partners from cybercriminals looking to impersonate a trusted domain.