UK students are at risk from email scams because many top universities are not following best practices to block fraudulent emails, new research has claimed.
According to a report by cybersecurity firm Proofpoint, 65% of the UK’s top 20 universities were not using any form of an industry-recommended email authentication tool.
It says this could enable cybercriminals to imitate the universities in question easily, placing students applying for higher education after receiving their A-Level results at greater risk of email fraud.
The Domain-based Message Authentication, Reporting and Conformance (DMARC) record is used to verify that an address being used by an email sender is genuine and not an impersonation by cybercriminals.
According to the research, which did not name any of the universities in question, only one in the top 20 was using the recommended level of DMARC protection.
35% were using some form of the tool but below the recommended level.
Proofpoint’s vice president of threat operations Kevin Epstein said the company was concerned that online criminals would use the anticipation of communication from universities around A-Level results day to trick students into sharing personal data.
“By not implementing simple, yet effective email authentication best practices, universities may be unknowingly exposing themselves and their students to cybercriminals on the hunt for personal data,” he said.
“Email continues to be the vector of choice for cybercriminals.
“Proofpoint researchers found that the education sector saw the largest year-over-year increase in email fraud attacks of any industry in 2018, soaring 192 percent to 40 attacks per organisation on average.
“Institutions and organisations in all sectors should look to deploy authentication protocols, such as DMARC to shore up their email fraud defences.
“Cybercriminals are always going to leverage key events to drive targeted attacks using social engineering techniques such as impersonation and universities are no exception to this.
“Ahead of A-Level results day, student applicants must be vigilant in checking the validity of all emails, especially on a day when guards are down, and attentions are focused on their future.”
Epstein said given the amount of emails that would be sent on A-Level results day it was inevitable that some students would be targeted by phishing scams.
He encouraged them to be cautious of any communication attempts that request log-in details or threaten to suspend a service or account if a link isn’t clicked.
In response to the research, the National Cyber Security Centre (NCSC) said the majority of cybersecurity incidents were caused by a lack of awareness, and so it worked closely with universities and other education bodies to improve their security measures and provide information on best practices.
“NCSC experts work closely with the academic sector to improve their security practices and help protect education establishments from cyber threats,” a spokesperson for the centre said.
We need your help ...
The coronavirus pandemic is changing our world, fast. And we will do all we can to keep bringing you news and analysis throughout. But we are worried about maintaining enough income to pay our staff and minimal overheads.
Now, more than ever, we need a vibrant, independent media that holds the government to account and calls it out when it puts vested economic interests above human lives. We need a media that shows solidarity with the people most affected by the crisis – and one that can help to build a world based on collaboration and compassion.
We have been fighting against an establishment that is trying to shut us down. And like most independent media, we don’t have the deep pockets of investors to call on to bail us out.
Can you help by chipping in a few pounds each month?