Universities Put Email Users at Cyber Risk

Business Email Compromise

DMARC analysis by Proofpoint shows that institutions in the U.S. have among some of the poorest protections to prevent domain spoofing and lack protections to block fraudulent emails.

Top U.S. universities are among the worst in the world at protecting users from email fraud, lacking security measures to prevent common threat tactics such as domain spoofing or other types of fraudulent emails, researchers have found.

Ninety-seven percent of the top 10 universities in the United States, the United Kingdom and Australia are subjecting students, staff and administration to higher risks of email-based impersonation and other attacks because their systems lack basic security, according to new research from Proofpoint revealed Tuesday. Moreover, U.S. institutions are the worst offenders of the bunch, with some of the poorest levels of cybersecurity protection, researchers found.

Infosec Insiders Newsletter

The news is troubling, especially as email remains the most common vector for security compromises across all industries, observed Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, in a statement. Further, the frequency, sophistication, and cost of cyber attacks against universities has increased over the last years, he said.

“It’s the combination of these factors that make it especially concerning that the premier universities in the U.S. are currently the most vulnerable to attack,” Kalember noted.

Indeed, universities and other institutions of higher education store “masses of sensitive personal and financial data, perhaps more so than any industry outside healthcare,” he said. This, unfortunately, makes them a top target for cybercriminals, who currently have an easy path to attack due to lack of email protections, he said.

Lacking in Email Protection

Among universities in the United States, Proofpoint looked at Columbia, Harvard, Princeton, Yale and Stanford universities, the Universities of California Berkeley and Los Angeles, the University of Pennsylvania, Massachusetts Institute of Technology and New York University.

Researchers used Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of these universities as well as the top 10 in the United Kingdom and Australia to make their assessment.

DMARC is an email validation protocol aimed at protecting domain names from being misused by cybercriminals by authenticating the sender’s identity before sending a message to its intended destination, researchers noted. This misuse can occur in cybercriminals impersonating an authentic entity by what’s called “spoofing” its domain, which leads a recipient of an email to think it’s legitimate when it’s not.

DMARC has three levels of protection: monitor, quarantine and reject; the last is the most secure for preventing suspicious emails from reaching the inbox. Proofpoint found that none of the top U.S. and U.K. universities had a Reject policy in place that can actively block malicious emails from reaching their targets, leaving users of their email systems wide-open to email fraud.

While 65 percent of the top U.S. and U.K. universities—or 13 out of 20–did have a base level of DMARC protection to either monitor or quarantine emails, five of the top 10 U.S. universities did not publish any level of DMARC record, researchers found.

More specifically, 11 out of the 20 institutions investigated in the United States and United Kingdom have a Monitor policy in place, while only 2 have a Quarantine policy in place, they said. Across all the 30 universities observed, 17 of them (57 percent) implemented at least a Monitor policy, while four of them (13 percent) had at least a Quarantine policy, according to Proofpoint.

 Universities in the Crosshairs

Educational facilities have never been at the cutting edge of security, and new protocols such as remote classes held over the Zoom video platform and others put in place during the COVID-19 pandemic have only exacerbated the situation.

Indeed, with this new shift to remote learning and a hybrid model of in-person and online courses going forward, cyberattacks against universities will continue to climb, researchers said. Exploiting human error through socially engineered malicious emails is low-hanging fruit for cybercriminals, especially when there is no barrier to block these suspicious emails from reaching inbox of unsuspecting victims, according to Proofpoint.

Moreover, email is often a gateway for more dangerous attacks. One type of attack that can initiate as an email-related breach is ransomware, which has become a major thorn in the side of universities in recent years. In fact, one 157-year-old college–Illinois-based Lincoln College–even closed its doors recently due to a combination of pressures from the pandemic and a ransomware attack that pushed it to its breaking point.

One major issue that Proofpoint uncovered in its recent Voice of the CISO report is that CIOs in the education sector are feeling neglected by their respective organizations, without the support to implement security protections that could block the institutions from common threats, such as malicious emails, Kalember noted.

Without this support going forward—and without employing DMARC protections that can block malicious emails before they even reach a person’s inbox—users will continue to get exposed to threats that can easily be avoided, he said.

“People are a critical line of defense against email fraud but remain one of the biggest vulnerabilities for organizations,” Kalember said. “When fully compliant with DMARC, a malicious email can’t reach your inbox, removing the risk of human interference.”

Suggested articles