When the coronavirus pandemic hit this year, it forced a lot of organizations to find new, digital ways of working. Although a lot of businesses had already started thinking about the transition to the cloud, there were still many that hadn’t taken those initial steps and some who had never planned to. But working from home is now the new norm: we have meetings on Teams or Zoom instead of in a board room, and water cooler chats are held on Slack and Skype. The introduction of new cloud technologies in the workplace has opened the door to a number of opportunities, particularly when it comes to collaboration between offices, but it also means that there are more vulnerabilities for cybercriminals to target.
Universities and colleges have struggled in the battle against cybercrime for a long time for a number of reasons. Firstly, their databases hold large stores of sensitive information about their students. Secondly, their accounts and servers are trusted by other organizations, who are likely to hold the door open for correspondence from them. This means that attackers who successfully breach a university’s accounts not only have access to that institution’s data, but potentially the data of other companies that the university works with.
This fall, students are returning to their classes online. With notifications and follow-ups from virtual lectures, seminars and study halls, as well as updates from the universities themselves regarding Covid-19, students and staff members alike are being inundated with emails. This makes it much easier for attackers to disguise themselves as trusted sources in order to carry out phishing and email compromise attacks, so the attacks themselves are far more difficult to spot – particularly for vulnerable victims who’ve been up all night studying and definitely wouldn’t say no to a free Dominos as a reward at the weekend.
Unfortunately, when they aren’t from a genuine sender, those sweet deals quickly turn sour and can have catastrophic consequences for the university, both financially and in terms of losing the trust of prospective students.
So why are universities at risk, and how do attackers gain access to their accounts? And, just as importantly, what can you do to protect the staff and students at your institute from falling victim to email-related cybercrime?
Why Universities And Colleges Are At Risk
Universities are universally recognized as being world-leading research institutions. They store incredibly valuable research data which, if lost, could have major financial and reputational impacts. However, they also store large amounts of personal data about their staff and students, including financial information. If attackers gain access to either of these types of data, they can use it to carry out ransomware attacks, in which they demand money for the safe return of the university’s data, or they can sell it on to other bad actors.
A serious breach can cause a huge drop in the number of prospective students that want to attend in following years. It can also severely affect any funding applications that the university wants to complete, with investors choosing to give their money to more reliable institutions. Despite this, many universities and colleges don’t have substantial security measures in place to combat cybercrime. This is largely due to the fact that they don’t have the dedicated security budget that other large corporations may have at their disposal. However, it’s also down to a lack of awareness at the risk these attacks present.
Because they often have little email security, universities are an easy victim to target as well as a lucrative one. Attackers like to do as little work as possible for the most amount of gain, so this makes higher education institutes the perfect target for a cyberattack.
But it isn’t just the university itself that’s in trouble if their accounts are compromised – higher education institutes often partner with other organizations, whether through research, marketing, or consulting on projects. When a university or college’s accounts are breached, that puts all partner organizations at risk, too. Let’s take a look at why.
Account Takeover And Phishing: The Threats Facing Higher Education
There are two main threats that universities face when it comes to cybersecurity, and both involve email. Email systems can be a huge vulnerability if not properly secured. In fact, Verizon released a report this year which found that 67% of data breaches are caused by three main methods: credential theft, social engineering (such as phishing) and error. And these are exactly the challenges that universities and colleges are facing.
It’s December, and it’s raining. A student sits in the library with the calculator app open on their phone. They’ve already reached their overdraft limit, and their student loan isn’t going to come in for another few weeks. Suddenly, a light appears at the end of the tunnel: they receive an email from their student loan provider saying that if they log into their account, they’ll be able to withdraw a certain amount of their loan early…
Phishing attacks are a type of cybercrime based on email fraud. A bad actor emails their victims whilst fraudulently posing as a trusted sender. The emails are carefully designed to trick users into clicking on a URL to a webpage where they’re asked to enter sensitive information, like ID numbers and passwords, which is what happened to several staff members of Wichita State University last year. Traditional phishing emails are easier to spot because they often target hundreds or even thousands of people at once, so the message itself might seem generic and irrelevant to the receiver.
Spear phishing emails take it one step further: they make it personal. The attacker impersonates someone that the victim knows personally so that the receiver will trust them when asked for sensitive information.
Phishing emails, and sometimes even spear phishing emails, will be the most common threat that your students and staff face. Some staff, however, may fall victim to whaling attacks. These are highly sophisticated spear phishing attacks designed to “catch the biggest fish”, i.e. reap the largest reward. As such, attackers research their victims in detail to personalize the attack and gain their trust, and they put effort into designing realistic attachments or webpages for the victim to open. They then send this malicious content to member of executive committees, governors and presidents, all of whom have their emails advertised publicly on the university website.
Account Takeover (Business Email Compromise)
Later that day, you sit in the office. A contact from one of your partners calls you saying they got your email with an attached invoice but wanted to double check the amount. You never sent them an invoice…
Business email compromise (BEC) attacks, or ‘man-in-the-email’ attacks, are also based on email fraud. A bad actor steals the credentials to an email account, usually through hacking or phishing, and takes over the account, impersonating the real account owner. The attacker then manipulates the organization and its stakeholders into sending them money or sensitive data.
BEC is one of the most common and financially dangerous online crimes because it exploits our reliance on email communications – something that universities will be using more and more in the coming months. There are three main methods of attack. Firstly, the attacker could spoof an email account or website by varying a legitimate email address slightly. These changes can be easy to miss, and fool victims into thinking the account is genuine. Secondly, attackers may send spear-phishing emails, which imitate a trusted sender and trick the victim into revealing confidential information. With this information, the attacker can access private company data. Finally, attackers may use malware to access an organisation’s networks, including inboxes. This allows the attacker undetected access to the victim’s personal data, including their passwords and financial information. Once the attacker has access to this information, they can move laterally throughout the organization. This means using a student’s credentials to target a lecturer, who they use to target a governor, as so on. Once the attacker reaches high enough in the chain, they can start to reach out to partner organizations.
Because the attacker is using a genuine, trusted university account to reach further organizations, the security systems of these partners often won’t detect that there’s anything “phishy” about the emails. From there, just one click leads to a second wave of credential harvesting chaos.
Unfortunately, these types of attack are happening all the time. Email security vendor INKY recently released a study of hijacked university accounts, highlighting thousands of attacks that evaded detection by legacy security solutions because they came from trusted university accounts and domains. In the study, Purdue University accounts sent the most phishing emails, with 2068 detected by INKY. The University of Oxford and Hunter College came in second and third, with their domains sending 714 and 709 malicious emails respectively.
But it’s not all doom and gloom! As we all know, the first step to recovery is admitting you have a problem, and you’ve achieved that by reading this far. That being said, you now need to know what steps to put in place to prevent your staff and students from falling victim to phishing and account takeover attacks.
How Universities Can Eliminate Email Threats
There are four main types of security solution that you can put in place to help prevent phishing and account takeover attacks. These are Secure Email Gateways, post-delivery protection, awareness training and multi-factor authentication.
Secure Email Gateways (SEGs)
SEGs block email-based threats before they can reach your server. They scan incoming, outbound and internal communications for signs of malicious content, including dangerous URLs and attachments. The gateway also checks the domain of incoming emails to make sure that they’re from a trusted sender. Admins can whitelist or blacklist certain domains to make sure that known attackers can’t target staff and students, and any content deemed suspicious is automatically removed or quarantined.
SEGs also scan outbound email for malicious activity, so that if one of your accounts is compromised, they won’t be able to send spam or phishing emails to your partner organizations.
However, as INKY’s report highlights, university domains are widely trusted as being safe. Because of this, a Secure Email Gateway alone isn’t enough to protect your servers.
Post-Delivery Protection (PDP) provides security from inside the inbox. These solutions also scan incoming mail and use machine learning, such as digital stylometry, to detect signs of social engineering attempts.
“Stylometry is part of a broader use of machine learning we call ‘sender profiling’,” explains Dave Baggett, CEO at INKY. “The idea is to maintain a model or, technically, a set of models for each email sender whose mail the solution has ever seen. The model is updated every time a new mail arrives from the sender, and it incorporates signals we extract from email headers and the email body.”
These signals can include everything from the sender’s geographic location to the greeting they use at the start of the email. Baggett explains that, by analyzing the signals, the solution can mathematically calculate what the sender’s “normal mail” looks like and compare emails to the sender’s prior communications.
Malicious emails are removed or quarantined, and if the PDP solution is unsure they allow the receiver to view the email but insert a warning banner to inform the user that the communication could potentially be harmful. For these instances, they also come with a reporting feature that allows users to report or remove emails that they think are suspicious.
Post-Delivery solutions also help to combat delayed phishing attacks, in which malicious URLs become active after the initial security scans have taken place. We’re seeing increasingly more of this kind of attack, and it’s important that you find a solution that is able to identify and remediate delayed threats.
Phishing Awareness Training
One of the most useful forms of prevention is education; being aware of these kinds of attack will make any user less likely to fall victim to them. Phishing awareness training solutions teach users how to identify suspicious or malicious emails and what to do if they receive them.
The best training solutions provide users with both the knowledge and the tools they need to help prevent phishing attacks. This involves taking virtual courses, often made up of engaging, multi-media scenario-based content. Once they’ve completed the course, admins can test the users with simulated phishing emails. If they don’t report the emails, admins can assign further training. Often, solutions come with an in-built “report phishing” button. If not, it’s important that you let staff and students know where they should forward any suspicious content to.
Most phishing awareness training solutions also offer a huge library of digital and printable activities and infographics, which are perfect for reminding staff and students of the dangers of phishing attacks. You could also print these to hang up in labs and libraries, or pop into freshman welcome packs.
Multi-Factor Authentication (MFA)
Secure Email Gateways and Post-Delivery Protection solutions can, unfortunately, be a little pricey, especially for universities and colleges who don’t often have a large budget to dedicate to cybersecurity. But that doesn’t mean that these institutes have to go completely without protection.
Multi-factor authentication is an authentication method that requires users to verify their identity using multiple methods before they’re allowed to access certain resources. Alternative methods of authentication can include something the user knows (a PIN or secret answer), something the user has (a smart card or authentication app), or something the user is (a biometric fingerprint or retina scan). Implementing MFA means that a bad actor can’t access an account, even if they gain access to the user’s login credentials through a phishing attack.
Dave Baggett of INKY” recommends that all higher education institutes implement multi-factor authentication. “MFA is easy to use and built in to both O365 and G Suite, and will prevent accounts from getting taken over.” Traditional passwords aren’t enough to secure accounts against sophisticated threats, Baggett warns, adding that, “Even student accounts should require MFA.”
There isn’t a single solution that will offer you comprehensive protection against phishing or account takeover attacks, so it’s important that you implement multiple layers of security to help protect your university or college. However, this can be difficult when you don’t have the security budget to allow you to invest in all three of the security measures we’ve discussed in this article. For this reason, you should analyse the type of threats that you’re facing and choose a form of protection that will best help secure you against them.
Even if you can’t afford to invest immediately in a solution, you need to make the staff and students you work with aware of these attacks and how dangerous they can be. Even a simple poster in the library pointing out key indicators of phishing emails and reminding users not to leave their devices unattended while they grab a coffee could go a long way.