While colleges and universities are meant to educate, perhaps they could use a lesson in cyber crime themselves. A new study finds that nearly 90% of colleges and universities are putting students, alumni, and faculty at risk by not providing protection from email phishing, spoofing, and forgery schemes. As a result, institutes of higher education have become a hunting ground for cyber attackers using phishing scams.
Why are Cyber Criminals Targeting Universities?
The EDUCAUSE Center for Analysis and Research reveals that 562 reported data breaches have occurred at 324 higher education institutions between 2005 and 2014. That represents roughly 15.5 million records. So, what makes universities such appealing targets?
- Access to personal data: University databases are a goldmine of information, containing the personal details of thousands of students, including names, addresses, phone numbers, date of birth, social security numbers, driver’s license numbers, financial information, and even medical records.
- Access to research: Many universities house cutting-edge research and development departments that may be U.S. government-funded. This information may be valuable to foreign nations from an economic, intellectual property, or international relations perspective, and many hackers would love to get their hands on it.
- Lack of security: Aside from the aforementioned lack of email protection, universities also must allow students and faculty to bring their own devices onto campus—which can make it extremely difficult to track down and contain the source of any malicious software that may enter the network.
- Budget constraints: This goes hand-in-hand with a lack of security. Colleges’ and universities’ number one goal is to attract new students; one way they do this is by controlling tuition costs. That has traditionally made spending money on email cybersecurity a low priority; potential students are not likely to decide which school to attend based off a school’s IT security and privacy practices.
- Transient nature of universities: Universities have a constantly changing population of students, researchers, academics, and staff. Each year, there is a fresh batch of newcomers who are unfamiliar with one another as well as school policies and procedures.
The Federal Student Aid Phishing Email Scam
So how does a cyber attack usually go down? One scheme growing in popularity involves attempting to gain access to students’ federal student aid (FSA). According to a release from the U.S. Education Department’s Office of Federal Student Aid, multiple colleges and universities have become a phishing victim this year (they declined to name names). The department stated that the phishing attacks seek to gain access to student accounts through the student portal, indicating that the attackers have done their research and understand the schools’ use of student portals.
The attacks begin with a phishing email, often regarding a phony university bill that can be conveniently paid through the portal (threat of late fees further increases urgency). Many attacks have proven successful due to student compliance with the email request and the portal’s use of one-factor authentication (requiring only one set of credentials to access the portal). Once the attacker has access, the student’s direct deposit destination is changed to a bank account controlled by the attacker. As a result, Federal Student Aid (FSA) intended for the student is sent directly to the attacker.
The Student Employment Phishing Email Scam
Another phishing email tactic that has duped students out of money is an employment scam; in these cases, scammers contact students on their school accounts recruiting them for non-existent administrative positions. But instead of picking up a little extra cash with a part-time job, students wind up losing what little money they may have saved up.
Students who respond to the phishing scam are mailed or emailed counterfeit checks, with instructions to deposit the check in their personal checking account. The scammer then directs the student to withdraw the funds from their checking account and send a portion, via wire transfer, to a vendor to cover equipment, materials, or software necessary for the position. Once the money is sent, the checks are confirmed to be fraudulent by the bank and the student is out the money; of course, the “equipment or materials” never arrive either. This phishing scam became so prevalent last year that the FBI even released a public service announcement warning about it.
3 Ways Universities Can Protect Themselves from Phishing Emails
No university is safe. Cyber attacks have struck some of the nation’s most preeminent universities, including Harvard, Penn State, and Duke. In fact, according to Duke’s IT Security Office, about 199 million emails were sent to Duke email addresses in July of this year and about 166 million were marked as spam or phishing attempts and blocked. But, no matter how strong the defenses, dubious emails still get through. There are a few ways colleges and universities can strengthen their security.
- Use 2 Factor Authentication (2FA): As the Office of Federal Aid pointed out, many schools affected by the FSA scam only employed one-factor authentication to access student portals. 2 Factor Authentication, or 2FA, provides another layer of security. For colleges and universities, this may mean entering a password as usual and then entering a number which uniquely identifies the user to the service. This number changes frequently, often every five minutes or so.
- Educate Students and Staff: Despite their tech-savvy nature, many students aren’t familiar with the sophistication of today’s phishing emails and the various types of phishing emails. While no one is falling for the Nigerian Prince scams of yesterday, an email that appears to come directly from the university is much more likely to be believed. Provide information to all incoming students and staff about the dangers of phishing and what to look out for.
- Instruct them to navigate directly to the source rather than clicking a link or opening an attachment.
- Because scammers aren’t known for their grammatical prowess, always use caution when correspondence is littered with typos and errors.
- Raise an eyebrow if the email has a strong sense of urgency. Phishing attacks want recipients to act fast without thinking, so they’ll often warn that an account has experienced suspicious activity and needs to be checked as soon as possible, or that financial penalties are going to be incurred unless action is taken quickly.
- Use an anti-phishing service: While 2FA and education are helpful, humans are fallible and can act without thinking—making a human firewall for email cybersecurity extremely vulnerable. An Anti-phishing service corrects for this by learning legitimate patterns of communication activity between students and staff and red-flagging emails that are truly unknown, suspicious, or malicious. With anti-phishing services, FSA and employment phishing emails would have been immediately red-flagged and quarantined before they could be acted upon.
Want to learn more about anti-phishing services? Clearedin is a leader in phishing email protection, making security hassle-free and affordable (we’re also helping K-12 Parent Teacher Associations stay safe; learn more about that here). Speak with one of our experts and ask about our free trial. Contact Clearedin today and be sure you don’t become the next phishing victim.