Universities and colleges are a target-rich environment for phishing attacks. With thousands of new students matriculating annually, there’s a constant vulnerability as they become acclimated to the new community they’ve joined as well as its systems and resources.
Naive students aren’t the only phishing target. Email addresses for staff and faculty are widely available so that those outside the university can readily contact them. Despite supporting thousands of users, it’s typical for universities’ information security teams to be small, with limited budgets and personnel to protect these distinct user groups against a wide range of email security threats.
Students Targeted with Phishing Scams
While all email users experience phishing attacks, like broad-based brand impersonations of FedEx and Amazon package notifications, the phishing attacks targeting organizational email users, like students at a university or college, can be quite different. Many students entering college would not have experienced covert phishing attacks, so they come in with a high degree of trust. Their familiarity with Google Drive and other collaboration tools, coupled with that automatic trust, makes them more susceptible to phishing attacks for credential harvesting and malware.
These targeted phishing attacks wear many disguises, though universities have reported a variety of common scams. Some are basic brand impersonation attacks, including emails that might simply contain malicious links with verbiage such as “You have a Zoom meeting.” or “You must confirm your Google credentials to continue.” If someone clicks on that link, attackers can try to steal credentials and deploy malware.
Learn how Saint Anselm College leveraged GreatHorn’s automated email security to thwart attacks, educate users, and reduce email risk by 90%.
Students may also be targeted for financial and identity theft. With a valid social security number and little or no credit history, bad actors can take these ill-gotten credentials to open fraudulent bank accounts, credit cards, and other types of accounts.
An example of this was an employment scam that sent emails to students inviting them to apply for a job as a company brand ambassador. A number of students responded to the invitation. Very professional-sounding correspondence was sent back and forth between the attacker and the students. After the attacker invited them to “complete the hiring process” and submit information for a simple background check, the students divulged their social security numbers, dates of birth, and other personal information and never heard from the attacker again. The attacker disappeared with new stolen identities.
Faculty and Staff Singled Out for Access to Sensitive Data
Email addresses for faculty and staff are often posted online to make it easy for current and prospective students, potential research collaborators, grant organizations, and others to contact them. That also makes it incredibly easy for those with ill intent to send malicious emails. Not to mention the high volume of communications they receive can fatigue even the most seasoned staffer, causing them to click a suspicious link or open an untrusted attachment.
While they too may be targeted with scams, faculty and staff are more likely to be targeted for the access they have to university resources. Troves of personal data, proprietary research, and other intellectual property make educational institutions a lucrative target. Obtaining access to extensive alumni databases, health and medical research records, and patentable engineering and software discoveries is sufficient motivation for attackers to craft highly personalized spear-phishing attacks. Across all industries, spear-phishing attacks rose 127% and universities will not be unaffected.
Universities’ Email Security Needs
Information security teams at universities often have limited resources compared to the scope of their task. With email use and data sharing on the rise, one of their key challenges is defending a targeted, easily accessed, and trusting population from a growing number of email attacks.
Detecting and remediating all kinds of phishing, ransomware attacks, and scams that start through email is table stakes. Info sec teams also require solutions that value their time. These include choosing solutions that are quick to configure without requiring constant tuning and adjustment, being supported by expert vendors to aid in research and response to identified risks, bulk remediation capabilities to efficiently handle cleanup when large numbers of students fall victim to the same scam, and user education in the moment to reduce risk and uphold their institutional mission.