Students, teachers, and administrators returning to school this season have faced immense challenges. The coronavirus pandemic and lockdown have upset the traditional classroom environment. Educators are more reliant than ever on email to send and receive important information. Of course, all of that makes the educational sector a ripe target for cybercriminals. A report published Thursday by security firm Barracuda Networks details how schools are being hit by phishing emails and what they can do to better protect themselves.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Schools and colleges have been preyed on by specific types of phishing campaigns, including spear phishing and Business Email Compromise (BEC) attacks. Spear phishing attacks typically are aimed at specific individuals or departments within an organization. In a BEC attack, cybercriminals impersonate a trusted party to try to obtain fraudulent invoice payments or other funds.
Analyzing the 3.5 million spear phishing attacks seen from June through September 2020, Barracuda found that more than 1,000 educational institutions were targeted. Schools and colleges were also more than twice as likely as the average organization to be hit by a BEC attack.
Spear phishing campaigns were aimed evenly against most organizations throughout the summer, followed by an increase in September. In contrast, campaigns against the educational sector fell in July and August when schools were closed, and then jumped in September when students returned.
The types of attacks against schools also shifted from summer to fall. In July and August, attackers focused on email scams that were less targeted and deployed in large numbers. Targeted BEC campaigns were more common during typical school months such as June and September. During those months, Barracuda also spotted more phishing attacks that leveraged service impersonation, which spoofs a well-known company or business application as a way to steal account credentials.
In one example cited in the report, the Manor Independent School District in Texas lost $2.3 million due to a fraudulent phishing campaign. In another example, Scott County Schools in Kentucky was scammed out of $3.7 million as the result of wire fraud but was able to recover the money.
In almost 90% of the BEC attacks against schools, the criminals used Gmail accounts to send their phishing emails. Gmail is popular among hackers as it’s free, offers an easy registration process, and has a good reputation. However, a quarter of the emails were sent from compromised internal accounts, which are prized due to their high level of trust.
The emails launched from Gmail try to appear legitimate by using educational titles in the sender address. In its analysis, Barracuda found emails from such addresses as firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org.
These campaigns also use relevant or topical subject lines to catch the eye of the victim and foster a sense of urgency and immediacy. As such, a large percentage of the emails exploited COVID-19 with such subject lines as “COVID19 NEW UPDATES,” “Covid-19 Update Follow Up Right Now,” “COVID-19 SCHOOL MEETING,” and “Re: Stay safe.”
To protect your school or college from these types of phishing attacks, Barracuda offers the following tips:
Invest in protection against targeted phishing attacks. Attackers know that educational organizations don’t always have the same level of security as other organizations, and they take advantage of it. Schools, colleges, and universities need to prioritize email security that leverages artificial intelligence to identify unusual senders and requests. This additional layer of defense on top of traditional email gateways can provide protection against spear phishing attacks for both staffers and students.
Get account takeover protection. Educational institutions are more susceptible to account takeover than an average organization because many school districts and colleges don’t have the necessary tools and resources to protect against this threat. Invest in technology that will help you identify suspicious activity and potential signs of account takeover.
Improve security awareness education. Users are the last line of defense. Educate them about the email threats faced by educational institutions today. Ensure that both staffers and students can recognize attacks, understand their fraudulent nature, and know how to report them. Security awareness training is especially important now during the shift to remote learning. Students and teachers increasingly rely on technology and email for both communication and educational purposes.
Set up internal policies to prevent wire transfer fraud. All organizations, including educational institutions, should establish and regularly review existing company policies to ensure that personal and financial information is handled properly. Help employees avoid making costly mistakes by creating guidelines and setting up procedures to confirm all email requests for wire transfers and payment changes. Require in-person or telephone confirmation and/or approval from multiple people for all financial transactions.