The U.S. higher education system is lagging when it comes to implementing email security – even though the segment remains a top target for phishing and spam campaigns.
According to an analysis from Red Sift shared with Threatpost, only 3 percent of the top 200 schools in the 2020 WSJ/THE College Rankings have the DMARC protocol configured at its fullest protection level.
DMARC (which stands for Domain-based Message Authentication, Reporting and Conformance) is an industry standard that ensures emails are authenticated before they reach users’ mailboxes and confirms that they have been sent from legitimate sources. If configured correctly, potential phishing emails can be stopped at the gateway, or redirected to the junk folder.
DMARC Basics
DMARC policies are designed to be incremental, from a simple reporting-only system to a strict policy where messages failing authentication are rejected without being delivered or seen by the intended recipient.
To start, companies receive daily aggregate reporting from ISPs detailing a number of items, such as the number of messages they’ve seen using their domains, how many messages passed or failed authentication and the authentication results of the mail.
The next step is the quarantine phase, where any mail failing authentication be routed to the spam/bulk/junk folder. And for the most secure set-up under DMARC, organizations can choose to use a reject policy, to stop mail that fails authentication from even being accepted by the receiving mail systems.
Failing Grades
Of the 200 universities in the report, 116 did not have a valid DMARC record in place, according to Red Sift. And 78 schools only had the protocol deployed in reporting mode, meaning phishing emails could still find their way to the inbox, leaving only six schools that actually had their DMARC deployed in protection mode — the only way to authenticate and block suspicious mail.
Brandeis University, Bentley University, University of San Francisco, Saint Mary’s College of California had their policies set for “quarantine.” And of all the schools in the report, only the University of Pittsburgh and Georgetown University received top marks, with their DMARC policy set to “reject.”
“Whilst universities may well be institutions of learning and great academic progress, they are also big businesses, and as such attract just as much unwanted attention from cybercriminals as those on the Dow Jones,” Rahul Powar, Red Sift co-founder and CEO, told Threatpost in an email interview. “With no effective DMARC protection in place these universities remain vulnerable to attacks.”
In particular, attacks that use email impersonation to get recipients to provide their personal data, send money or click on a malicious link are rampant.
“This means current and prospective students, as well as staff and anyone with whom an unsecured university communicates, could receive an email from a fraudster that looks completely genuine,” Powar added. “If we stop for a minute to think about the number of payment request emails alone that go to students — for tuition, accommodation, meal plans, books – it suddenly becomes a very attractive prospect for cybercriminals to fake a University’s email address, target vulnerable students and steal their money.”
Real-World Attacks
The numbers come as schools continue to be in the crosshairs of cyberattackers. Recently, the Silent Librarian threat group (also known as TA407 and Cobalt Dickens), which operates out of Iran, has been on the prowl for credentials since the start of the 2019 school year in September, launching low-volume, highly-targeted, socially engineered emails that eventually trick students into handing over their login credentials. And, earlier this year, Oregon State University lost the personal information relating to over 600 students when an employee fell for a phishing scam.
Separately, a phishing attack hit employees at Wichita State University, who were duped into handing over login information that subsequently led the scammers accessing other employees’ bank details and stealing money.
“If we think about the vast amount of data that universities hold about their student population, past and present,” Powar told Threatpost. “That’s a valuable resource and one that could well be easily accessed via a malicious link in an impersonated email to a time-pressed member of faculty staff.”
Most Can’t Pass the Test
Powar also said that higher education lags behind other verticals in DMARC adoption, but reports show that not many organizations in other areas get high marks either. In fact, according to 250ok’s Global DMARC Adoption 2019 report, which analyzed 25,700 domains in the education, e-commerce, legal, financial services, SaaS and nonprofit sectors, as well as the Fortune 500, U.S. government and China Hot 100 sectors – about 80 percent of company web domains don’t have standard email authentication protections in place.
“Given the information available on the risks associated with leaving your domain unprotected, it’s shocking the number of brands that still don’t understand the importance of DMARC,” said Matthew Vernhout, director of privacy at 250ok, in the report. “Until we reach a place where email receivers require proper authentication on all emails, including DMARC implementation, the onus is on brand leaders to keep their customers and employees safe from phishing.”
Overall, the report found that about a fifth (20.3 percent) of domains have some level of DMARC policy in place, and out of those, just 6.1 percent have enacted a reject policy.
What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.
