Protecting University Students and Faculty from Phishing Scams
Phishing attacks are causing significant financial losses. Here are some prevention tips for institutions of higher education
Every day, hackers scam college students and administrators into giving up their private credentials, revealing sensitive information that can lead to violations under the Family Educational Rights and Privacy Act (FERPA), or provide access to sensitive internal university systems in university phishing attacks.
But phishing is more than an annoyance — it’s causing significant financial losses and privacy violations at college campuses around the country.
According to the 2019 Verizon Data Breach Report, 53% of all cyberattacks in the higher education industry involve stolen credentials.
It’s also damaging the trust between universities and their end-users, chipping away at brand reputation. While it was once a problem reserved for the banking and financial sector, phishing is on the rise at colleges and universities.
In fact, the Anti-Phishing Working Group (APWG) noted that 2019 was “the worst period for phishing that the APWG has seen in three years, since the fourth quarter of 2016.”
Anyone who works in the field of campus technology knows the chaos that university phishing attacks and their resulting credential theft causes. Students are the most common target, but no one on campus is safe from these schemes.
To Prevent Phishing, Go Beyond Email Filtering
Often, security teams focus their anti-phishing strategy on securing university email addresses. That’s because most victims are targeted via email. A common tactic is to send out a highly convincing email to students.
The message appears to come from an administrator or faculty member at the school or even the campus bookstore. It may state something urgent about that student’s loan or registration status, along with instructions to click on a link to visit a website. The student trusts that this message is from the school and clicks on the link, setting the scam into motion.
But email isn’t the only component of university phishing attacks. Hackers are evolving their schemes, using other ways to connect with their victims and get what they want. Phishing via mobile devices using SMS texts is increasing.
The 2019 Verizon Data Breach Report reveals that 18% of individuals who clicked on test phishing links did so on their mobile devices. This means that email filtering won’t be enough to protect students and faculty who are using mobile devices to communicate.
Student web portals are also particularly under threat due to the valuable personal financial information they contain. Multinational cybersecurity and anti-virus provider, Kaspersky Labs, reports that internet portals were the most targeted business category in Q3 2018, representing 32% of all cyberattacks.
Hackers can use automation software and quickly create spoof websites that look like the real thing. Then, they send highly convincing emails to their intended targets that include a link to the spoof URL.
The emails often contain a message urging the victim to log on or change their password due to a security threat or policy change. Once the victim visits the spoof site and enters their credentials, the hacker has access to all of the information about that student contained in the portal.
College security teams have turned to anti-phishing email filters to block out any messages that are suspicious. This is a fundamental tool for good cyber hygiene, but it’s not enough. That’s because anti-phishing filters can’t catch all of the email scams. It’s a scale issue. Think about how many individuals at your university use .edu email domains. It only takes a few clicks on a link to a malicious domain to effectively target hundreds and thousands of students.
Protect the Integrity of Your Organization’s Brand
In the minds of the students, faculty, and the regulatory bodies that monitor for FERPA violations, it’s the university that bears responsibility for cyberattacks.
To protect your end-users from the risks of phishing, universities need to evolve security strategies, just as hackers have evolved their attack vectors. It starts with understanding the many facets of phishing and then implementing a more comprehensive detection and response strategy.
A modern anti-phishing strategy should extend beyond email filtering. It must also do more to protect students, instead of just faculty and administrators. Students are the most susceptible.
It’s time for colleges and universities to adopt an intelligent, comprehensive anti-phishing strategy. A robust anti-phishing detection and response strategy considers the tactics used in today’s sophisticated phishing schemes, such as social engineering, mobile devices, email and the fundamental building block of this attack vector: the spoof website.
Colleges and universities are already struggling to market themselves to potential students, but this becomes even more challenging when the institution is targeted by a cyberattack. All the brand equity that universities work so hard to build can disintegrate quickly when there is a breach involving student data.
Ultimately, the university will pay a price, whether through regulatory fines, the loss of revenue, or when their brand reputation is tarnished.
Salvatore J. Stolfo is a professor of computer science at Columbia University. This article originally ran in CS sister publication My Tech Decisions.