UK students are at risk from email scams because many top universities are not following best practices to block fraudulent emails, new research has claimed.
According to a report by cybersecurity firm Proofpoint, 65% of the UK’s top 20 universities were not using any form of an industry-recommended email authentication tool.
It says this could enable cybercriminals to imitate the universities in question easily, placing students applying for higher education after receiving their A-Level results at greater risk of email fraud.
The Domain-based Message Authentication, Reporting and Conformance (DMARC) record is used to verify that an address being used by an email sender is genuine and not an impersonation by cybercriminals.
According to the research, which did not name any of the universities in question, only one in the top 20 was using the recommended level of DMARC protection.
35% were using some form of the tool but below the recommended level.
Proofpoint’s vice president of threat operations Kevin Epstein said the company was concerned that online criminals would use the anticipation of communication from universities around A-Level results day to trick students into sharing personal data.
“By not implementing simple, yet effective email authentication best practices, universities may be unknowingly exposing themselves and their students to cybercriminals on the hunt for personal data,” he said.
“Email continues to be the vector of choice for cybercriminals.
“Proofpoint researchers found that the education sector saw the largest year-over-year increase in email fraud attacks of any industry in 2018, soaring 192 percent to 40 attacks per organisation on average.
“Institutions and organisations in all sectors should look to deploy authentication protocols, such as DMARC to shore up their email fraud defences.
“Cybercriminals are always going to leverage key events to drive targeted attacks using social engineering techniques such as impersonation and universities are no exception to this.
“Ahead of A-Level results day, student applicants must be vigilant in checking the validity of all emails, especially on a day when guards are down, and attentions are focused on their future.”
Epstein said given the amount of emails that would be sent on A-Level results day it was inevitable that some students would be targeted by phishing scams.
He encouraged them to be cautious of any communication attempts that request log-in details or threaten to suspend a service or account if a link isn’t clicked.
In response to the research, the National Cyber Security Centre (NCSC) said the majority of cybersecurity incidents were caused by a lack of awareness, and so it worked closely with universities and other education bodies to improve their security measures and provide information on best practices.
“NCSC experts work closely with the academic sector to improve their security practices and help protect education establishments from cyber threats,” a spokesperson for the centre said.
