It’s the time of year where universities are sending more emails than normal as they make preparations to welcome students back in the fall and relay updates on their plans to transition to remote learning.

Staff and students need to be aware though; hackers will use this ‘back to school’ momentum and will likely be impersonating trusted universities in phishing attacks to try and steal intellectual property as well as students’ valuable personal and financial information.

It is, therefore, worrying that nearly all of the top 20 universities in the US and the UK are potentially at risk of having their institution’s domain impersonated by scammers in phishing emails.

In fact, Tessian’s researchers reveal that 40% of the top 20 US universities and 30% of the top 20 UK universities are not using Domain-based Message Authentication, Reporting & Conformance (DMARC) records.

And while the other universities we analyzed have published a DMARC record, the DMARC policies had not been set up to ‘quarantine’ or ‘reject’ any emails from unauthorized senders using its domains. Just 10% of the top 20 UK universities had DMARC set to the strictest settings to prevent domain abuse.

Why does this matter?

Without DMARC records in place, or without having DMARC policies set at the strictest settings, hackers can easily impersonate a university’s email domain in phishing campaigns, convincing their targets that they are opening a legitimate email from a fellow student, professor or administrator at their university.

From that phishing email, hackers could lure staff or students to a fake website that has been set up to steal account credentials or request that their targets send personal or financial information. Against the backdrop of “back to school” and the shift to hybrid learning environments (with some universities restricting access to campuses), it wouldn’t seem out of the ordinary for a university to request this information. Students, therefore, may not realise they are being scammed – especially if the email domain looks legitimate.

Configuring email authentication records like DMARC, and setting policies to the strictest settings, are necessary measures for preventing attackers from directly impersonating your company’s email domain.

However, organizations also need to be aware that DMARC is not a silver bullet and hackers will find ways around it.

Why isn’t DMARC enough to prevent impersonation?

Firstly, DMARC records are inherently public, and an attacker can use this information to select their targets and attack methods, simply by identifying organizations without an effective DMARC record.

If your company has a strict email policy in place, the attacker can still carry out an advanced spear phishing attack by registering look-a-like domains, betting on the fact that a busy employee or distracted student may miss the slight deviation from the original domain.

Secondly, while your organization might have DMARC in place, your external contacts may not. This means that while your company domain is protected against direct impersonation, your employees may be vulnerable to impersonation of external contacts like partners, suppliers or government bodies.

What can you do to avoid being targeted by these scams?

As universities plan to welcome students back next month – and inundate inboxes with updates between now and then — it’s critical that they take action to build robust security measures that can protect their staff and students against email scams.

Here are some top tips to help you avoid the back to school scams.

Cybersecurity tips for universities:

• Assess email security policies and solutions: Are they robust enough to spot sophisticated spear phishing attacks?
• Enable multi-factor authentication: This easy-to-implement security precaution helps prevent unauthorized individuals from accessing systems and data in the event a password is compromised.
• Increase awareness: Make staff and students aware of potential scams and provide advice on what they should look out for (for example, carefully inspect deviations in the email domain and inspect URLs).
• Ask staff and students to report incidents: Security and IT teams have a better chance of remediating new threats and preventing future ones.

Cybersecurity tips for faculty staff and students:

• Think before you share: Never share direct deposit details or your personal information like your Social Security number on an unfamiliar website.
• Think before you click: If anything seems unusual, do not follow or click links or download attachments.
• Verify the request: If you receive an email from your university asking for urgent action, question its legitimacy and if you’re not sure, contact the university directly to verify the request.
• Report threats to the university: Security and IT teams will be able to investigate incidents and take action to prevent similar threats in the future.