Proofpoint, a leading cybersecurity and compliance company, has released research identifying that almost two thirds (65%) of the UK’s top 20 universities have no published DMARC (Domain-based Message Authentication, Reporting and Conformance) record, making them potentially more susceptible to cybercriminals spoofing their identity and increasing the risk of email fraud for students.
With a record 40% (236,350) of UK school leavers applying for higher education places this year, students will be eagerly awaiting email correspondence regarding their applications on A-level results day (August 15). However, cybercriminals may be capitalising on the anticipation of email communication from universities to potentially trick students with fraudulent emails.
“By not implementing simple yet effective email authentication best practices, universities may be unknowingly exposing themselves and their students to cybercriminals on the hunt for personal data,” said Kevin Epstein, VP of Threat Operations at Proofpoint. “Email continues to be the vector of choice for cybercriminals. Proofpoint researchers found that the education sector saw the largest year-over-year increase in email fraud attacks of any industry in 2018, soaring 192% to 40 attacks per organisation on average.”
Key findings from the research include:
- 65% of the top 20 UK university websites currently have no published DMARC record, leaving themselves open to impersonation attacks
- While 35% of the top 20 UK universities have published a DMARC record, only 5% have implemented the strictest and recommended level of DMARC protection, which actually blocks fraudulent emails from reaching their intended target
Epstein concluded: “Institutions and organisations in all sectors should look to deploy authentication protocols, such as DMARC to shore up their email fraud defences. Cybercriminals are always going to leverage key events to drive targeted attacks using social engineering techniques such as impersonation and universities are no exception to this. Ahead of A-level results day, student applicants must be vigilant in checking the validity of all emails, especially on a day when guards are down and attentions are focused on their future.”
Best practice for students:
- Students should check the validity of all email communication and be aware of potential fraudulent emails impersonating education bodies
- Students should be cautious of any communication attempts that request log-in credentials or threaten to suspend a service or an account if a link isn’t clicked
- Students should be following best practice when it comes to password hygiene, including using strong passwords, changing them frequently and never re-using them across multiple accounts
For many organisations, the road to easing email fraud risk is paved with DMARC (Domain-based Message Authentication, Reporting and Conformance), an email protocol being adopted globally as the passport control of the email security world. It verifies that the purported domain of the sender has not been impersonated. DMARC verification relies on the established DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards to ensure the email is not spoofing the domain. This authentication protects employees, customers and partners from cybercriminals looking to impersonate a trusted domain.