It’s the time of year where universities are sending more emails than normal as they make preparations to welcome students back in the fall and relay updates on their plans to transition to remote learning.
Staff and students need to be aware though; hackers will use this ‘back to school’ momentum and will likely be impersonating trusted universities in phishing attacks to try and steal intellectual property as well as students’ valuable personal and financial information.
It is, therefore, worrying that nearly all of the top 20 US universities are potentially at risk of having their institution’s domain impersonated by scammers in phishing emails.
In fact, Tessian’s researchers reveal that 40% of the top 20 US universities are not using Domain-based Message Authentication, Reporting & Conformance (DMARC) records. And while the other universities we analysed have published a DMARC record, the DMARC policies had not been set up to ‘quarantine’ or ‘reject’ any emails from unauthorized senders using its domains.
Without DMARC records in place, or without having DMARC policies set at the strictest settings, hackers can easily impersonate a university’s email domain in phishing campaigns, convincing their targets that they are opening a legitimate email from a fellow student, professor or administrator at their university.
From that phishing email, hackers could lure staff or students to a fake website that has been set up to steal account credentials or request that their targets send personal or financial information. Against the backdrop of “back to school” and the shift to hybrid learning environments (with some universities restricting access to campuses), it wouldn’t seem out of the ordinary for a university to request this information. Students, therefore, may not realise they are being scammed – especially if the email domain looks legitimate.
Configuring email authentication records like DMARC, and setting policies to the strictest settings, are necessary measures for preventing attackers from directly impersonating your company’s email domain.
However, organizations also need to be aware that DMARC is not a silver bullet and hackers will find ways around it.
Firstly, DMARC records are inherently public, and an attacker can use this information to select their targets and attack methods, simply by identifying organizations without an effective DMARC record.
If your company has a strict email policy in place, the attacker can still carry out an advanced spear phishing attack by registering look-a-like domains, betting on the fact that a busy employee or distracted student may miss the slight deviation from the original domain.
Secondly, while your organization might have DMARC in place, your external contacts may not. This means that while your company domain is protected against direct impersonation, your employees may be vulnerable to impersonation of external contacts like partners, suppliers or government bodies.
As universities plan to welcome students back next month – and inundate inboxes with updates between now and then — it’s critical that they take action to build robust security measures that can protect their staff and students against email scams.
Here are some top tips to help you avoid the back to school scams.