Barracuda Networks has evaluated 3,5 million spear phishing attacks against the education sector. The result: educational institutions are twice as badly affected by BEC attacks than other organizations.
Due to the dynamic pandemic development, many schools and universities are still heavily reliant on email communication to keep teachers, pupils and students informed about the current situation. Hackers take advantage of this situation by increasingly targeting educational institutions with spear phishing attacks. Here's a closer look at cybercriminals' methods and best practices that education organizations can use to protect themselves against attacks.
Carefully crafted attacks
From June to September 2020, Barracuda evaluated over 3,5 million spear phishing attacks in EMEA, USA and APAC, including attacks on more than 1.000 educational institutions such as schools, colleges and universities. The study found that organizations in the education sector are more than twice as likely to be targeted by Business Email Compromise (BEC) attacks than other organizations. More than one in four spear phishing attacks targeting the education sector was a carefully crafted BEC attack.
Targeting education sector
Well-known e-mail providers such as Gmail are easy to register, are free and are trusted by recipients, which is why they are very popular as a tool with attackers. According to the analysis, cybercriminals used Gmail accounts in 86 percent of all BEC attacks in the education sector. They also adapted the e-mail addresses with terms such as “director” or “school” in order to make them more convincing. They also created targeted subject lines to convey a sense of urgency: Above all, there were a significant number of attacks that misused COVID-19 as a topic. Criminals also adjusted the timing of their attacks: In July and August, when schools were closed for the summer holidays, there was a significant decrease in spear phishing attacks against the education sector of 10 to 14 percent. In September the number of attacks increased again significantly.
The nature of the attacks against schools during the summer vacation also changed. In July and August, cyber criminals focused on email scams, which are less targeted and often sent in bulk. By contrast, targeted attacks such as phishing increased during the school year, including branding, in which a trustworthy company or brand is imitated in order to induce victims to divulge personal or otherwise sensitive information. In June and September, these types of attacks accounted for nearly half of all spear phishing threats targeting schools (47 and 48 percent, respectively).
Misuse of hijacked email accounts for attacks
The study also analyzed malicious emails sent from potentially compromised internal accounts. Across all industries, the proportion of malicious emails sent was 25 percent. In the education sector, the percentage of malicious emails sent was significantly higher at 57 percent: hijacked accounts in the education sector were massively misused by cyber criminals for further attacks. These accounts are particularly valuable to attackers, as messages from these senders are usually highly trusted. Some large-scale campaigns emerged using education email accounts to send out as many attacks as possible until activities were detected and stopped.
How educational institutions can protect themselves
1. Protection against targeted phishing attacks: The education sector is disproportionately affected by social engineering attacks such as branding and BEC. Cyber criminals know that education organizations do not always have the same level of security as other organizations and take advantage of this. Educational institutions should therefore focus particularly on email security. A strong security solution should use artificial intelligence to identify suspicious senders and requests. This additional layer of defense on top of traditional email gateways provides significant protection against spear phishing attacks.
2. Protection against account takeover: Educational institutions are more vulnerable to account takeover attacks than regular organizations because many schools and colleges do not have the tools and resources to protect themselves from this threat. That is why it makes sense to invest in a technology that makes it possible to specifically identify suspicious activities and potential signs of a hijacked account.
3. Enhanced education: Users are the last line of defense. Therefore, they need to be educated about the email threats faced by educational institutions today. It should be ensured that employees as well as pupils and students recognize attacks and know how to report them.
4. Internal security guidelines: All organizations, including educational institutions, should establish and regularly review guidelines for the correct handling of personal and financial information. Procedures should be put in place to confirm all email requests for transfers and payment changes to avoid costly mistakes by employees. For all financial transactions, confirmation and / or approval in person or over the phone should be obtained from multiple people.
With educational institutions increasingly reliant on digital communication in the foreseeable future, spear phishing attacks by cyber criminals remain an ongoing threat. However, with the above measures, organizations in the education sector can significantly reduce the risk of an attack.
Crowdsourced security has increased significantly in the last year. In the public sector, 151 percent more vulnerabilities were reported than in the previous year. ➡ Read more
A study examined the IT security of solar energy systems. Problems include a lack of encryption during data transfer, standard passwords and insecure firmware updates. trend ➡ Read more
