Barracuda Networks has detected a new wave of spear-phishing attacks targeting the education sector, as institutions continue to operate online. The researchers evaluated over 3.5 million spear-phishing attacks executed on various sectors, including those that were solely aimed at the education sector, affecting more than 1,000 schools, colleges, and universities. Spear phishing is a personalized phishing attack that targets a specific organization or individual. Over the years, cybercriminals have rapidly evolved and continue to adopt more innovative styles of attacks against different sectors, including education.
The Threat Spotlight further revealed that educational institutions are more than twice as vulnerable to a carefully-crafted business email compromise (BEC) attack than an average organization. Using this form of attack, threat actors have taken hold of schools, resulting in devastating losses. While the scale of attacks dropped by 10-14% during summer vacation (July and August), the number substantially picked up in September when students returned from holidays. The researchers also highlighted the advent of two more common types of attacks: email scams and service impersonation, against schools between July and September.
There was another stunning revelation in the report. Gmail accounts were the primary medium for cybercriminals to launch the aforementioned attacks – accounting for 86% of all BEC attacks on the education sector. Cybercriminals prefer to use well-known email providers like Gmail because they are free, easy to register, and have a higher reputation in the market. They customized malicious email addresses using terms like ‘principal’, ‘head of department’, ‘school’, and ‘president’ to make them look realistic. In fact, attackers even used convincing subject lines to quickly grab the victim’s attention and thus create a sense of urgency. Some of them include COVID-19 New Updates, COVID-19 School Meeting, COVID-19 Update, and Follow Up Right Now, among others.
Surprisingly, as per the analysis, of the total number of malicious messages detected (both inbound and outbound), 1 in 4 messages was sent from internal email accounts. This percentage was significantly higher for the education sector, with 57% of infectious emails sent from internal accounts. This means accounts in the education industry were used to send more attacks than they actually received. Since there was a high degree of trust associated with these compromised accounts due to their legitimacy, it was incredibly valuable for criminals who used them as a perfect launchpad for attacks.
Murali Urs, Country Manager-India, Barracuda Networks, said, “As schools and colleges continue to teach students remotely, it makes both the parties vulnerable to cyberattacks. Spear phishing has many forms as we saw in our latest threat report. While online teaching and learning is a crucial part of the new normal, it is also important for students and teachers to act mindfully before, during and post the online classes. Neither every system has an updated antivirus protection, nor everyone is aware of how to respond to these attacks. Investing in the right cybersecurity solutions along with gaining proper knowledge on prevention methods is, therefore, the need of the hour.”
To begin with, schools and colleges need to prioritize email security that leverages artificial intelligence to identify unusual senders and requests. This additional layer of defense on top of traditional email gateways will provide substantial protection against spear-phishing attacks for both staff and students. They must also invest in technology that will enable them to identify suspicious activities and potential signs of account takeover.
In addition, institutions should educate both staffers and students about email threats and how to recognize them, understand their nature, and finally report them. Security awareness training is all the more critical now because of the increasing reliance of educators and learners on email and other digital tools for communication and educational purposes.
On top of that, institutions must also establish and regularly review company policies to ensure that personal and financial information is handled safely, especially during wire transfers and payment changes. In-person/telephone confirmation or approval from multiple authorities for financial transactions can work wonders.