Heading to university? Watch out for a surge in phony emails about your studies

As hundreds of thousands of prospective students await emails confirming university places, a study reveals that the majority of institutions haven't implemented safeguards against email spoofing and phishing attacks.
Written by Danny Palmer, Senior Writer

Universities are putting new and prospective students at risk of phishing and cybercrime because they're failing to take steps to prevent their domains being used to spoof emails.

The study by cybersecurity company Proofpoint comes a little over a week before prospective students across the UK receive their A-Level exam results and find out if they've got the grades to attend their chosen universities.

Around 250,000 students will be waiting for confirmation from universities that they've had their place accepted – but researchers found that just one of the UK's top 20 universities has implemented full-scale DMARC (Domain-based Message Authentication, Reporting & Conformance).

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

This email authentication protocol allows domain owners to protect their domain from email spoofing and other unauthorised use. But despite repeated advice about how it can protect users from the vast majority of phishing emails, adoption remains poor.

Just one third of the top 20 UK universities have published a DMARC record and only one has implemented the strictest and recommended level of DMARC protection, which blocks the fraudulent emails from being delivered to their intended target at all.

Meanwhile, two-thirds of the top universities haven't implemented DMARC at any level – and it's likely that with prospective students waiting to receive confirmation of their university places, they're essentially tens of thousands of prospective targets for cyber criminals who want to conduct phishing attacks.

Attackers posing as universities could ask students for their email login credentials, their bank information, or other personal data, which can be exploited in further attacks or sold to other criminals. 

"Phishers love urgency, they love circumventing rational processes and an acceptance letter from a university is kind of a big deal – it's hard to put an envelope in front of someone and say don't open it, you want to tear it open, physically or virtually. It's a perfect storm of conditions," Kevin Epstein, VP of threat operations at Proofpoint, told ZDNet.

The protective power of DMARC was recently demonstrated in the National Cyber Security Centre's second annual threat report, preventing one particular malicious email sent to over 200,000 potential victims from ever reaching their inboxes.

Like many others, it's likely that universities are running their IT and security operations with a lack of resources and staff, but Epstein argued that implementing DMARC is one of the simplest things that can be done to protect against current and prospective students being targeted with email-based attacks.

"Everything in business and IT is a trade off. I've yet to meet anyone in our industry who says 'I have plenty of resources and infinite budget," he said.

"If you have no lock on your door, please tend to that first! However, if you want to add a dead-bolt, now is a great time to consider prioritising DMARC because it is a very useful tool in our defence against email attacks. It really provides a solid first layer of defence at a low investment," Epstein added.

Phishing remains the most successful means of cyberattack, but Proofpoint has offered some advice to students waiting for their results which could stop them falling victim to A-Level results-day-themed campaigns.

That includes being cautious of any communication that requests log-in credentials or threatens to suspend a service or account if a link isn't clicked and to double check the validity of all email communications by checking where the message claims to be from.

Proofpoint's warning over cyberattacks targeting universities comes shortly after current and prospective students of Lancaster University had personal data stolen by a hacker.


Editorial standards