Poor University Cybersecurity Opens UK Students Up to Phishing Attacks
As A-Level results day rolls around, UK universities are sorely lacking in cybersecurity protections, according to security company Proofpoint.
The company tested the UK's top universities, as ranked by the Complete University Guide, and found 65% of them were not using Domain-based Message Authentication, Reporting & Conformance (DMARC) records.
DMARC is a protocol that organizations can use to decide whether email servers should accept an email, making it a useful weapon against phishers. Without it, you can't be sure that an email sent to you came from a legitimate sender rather than a phisher spoofing that domain.
Adenike Cosgrove, cybersecurity strategist at Proofpoint, said that the lack of a published DMARC record leaves universities open to impersonation attacks, which could be a problem next week when students start getting their A-Level results.
“In this particular example, cyber-criminals would spoof the university’s domain and send emails to would-be students’ consumer mailboxes (Gmail, Hotmail, etc.)," she explained. "Without DMARC, criminals can use the exact email address of the university in question. With DMARC, the university can block (with a ‘reject’ policy) any unauthorized use of its domain, communicating to receivers (i.e., the consumer ISPs in this case) that any unauthorized senders using its domains should be blocked. In essence, DMARC works to protect consumers (outbound), employees (inbound) and business partners from email fraud.”
Although 35% of the top 20 universities in the UK had published a DMARC record, only 5% of them were using the strictest settings, which are the ones that would block fake emails from reaching the students, Proofpoint warned.
Students should be extra diligent when receiving email from universities, the company warned, especially if they request log-in credentials or threaten to suspend an account if they don't click on a link. They should use strong passwords that are individual to each account, it concluded.
Source: Information Security Magazine