October: Cyber Security Awareness Month 2024
Phishing. Understanding the Threat and How to Prevent It
In today’s increasingly digital world, the education sector is a growing target for cybercriminals, especially through phishing attacks. With colleges, and universities holding sensitive data, such as personal information, financial records, and research data, they have become prime targets for these attacks. Please see the 2024 Cyber Security Breaches survey from the UK Government.
What is Phishing?
Phishing is a form of cyber-attack where malicious actors impersonate trusted entities—such as administrators, government bodies, or reputable companies—to trick individuals into revealing sensitive information, such as usernames, passwords, or financial details. These attacks are often conducted through emails, but they can also occur via text messages (smishing), phone calls (vishing), or fake websites.
Phishing attacks rely on human error (mentioned in a previous blog, Strengthening Cyber Defences), exploiting the natural trust we have in familiar organisations or individuals. In the education sector, these attacks often target students, faculty, and administrative staff who may unknowingly fall for these scams.
Why is Phishing a Major Threat to the Education Sector?
Educational institutions store vast amounts of sensitive data, including student records, financial information, and research data. Cybercriminals see this as a goldmine that can be exploited for financial gain or sold on the dark web.
Many educational institutions operate on tight budgets, often allocating limited resources to cybersecurity. This can leave them vulnerable to sophisticated phishing attacks.
Colleges and universities have a diverse user base, including students, faculty, staff, and visitors, who may have varying levels of cybersecurity awareness. This diversity makes it harder to implement uniform security measures and policies.
The education sector relies heavily on email communication for sharing information, assignments, grades, and administrative notices. This makes it easier for attackers to disguise phishing emails as legitimate communication from the institution.
The shift towards remote learning has increased the use of digital platforms and tools, making it easier for cybercriminals to exploit vulnerabilities through phishing campaigns.
Common Phishing Tactics in the Education Sector
Attackers impersonate the institution’s IT department, asking users to reset their passwords or provide login credentials.
Fake notice emails that appear to come from school administrators, notifying recipients of urgent policy changes, grades, or schedule updates that require clicking on a malicious link.
Phishing emails are sent promising scholarships, grants, or financial aid that require students to provide personal and financial information.
Targeted phishing emails at faculties, which pose as collaboration opportunities from reputable institutions or researchers, aiming to steal sensitive research data.
Attackers will send links to fake login pages that resemble those of the institution’s online portal, tricking users into entering their credentials.
Common types of Phishing
Spear Phishing
Spear phishing attacks are highly targeted, focusing on specific individuals or small groups. Attackers gather personal information about their targets to craft convincing messages that seem legitimate and tailored. This personalised approach makes spear phishing more difficult to detect and often more effective.
Vishing
Vishing, or “voice phishing,” is a type of phishing attack conducted over the phone. Instead of using emails with malicious links or attachments, vishers try to trick their victims into revealing sensitive information, such as credit card details or personally identifiable information (PII). They may also convince targets to install malware on their devices, all through persuasive phone conversations.
Smishing
Smishing is a form of phishing carried out via SMS text messages. These messages typically claim there’s an issue with the recipient’s account, prompting them to click on a link that leads to a phishing page. Once on the page, attackers can steal login credentials or other sensitive information.
Whaling
Whaling attacks are a specialised type of spear phishing aimed at high-level executives, such as CEOs or CFOs. Because these individuals have the authority to approve large financial transactions or access confidential information, they present a highly attractive target for cybercriminals.
Business Email Compromise (BEC)
Business Email Compromise, also known as CEO fraud, involves attackers impersonating a high-level executive and instructing employees to carry out specific actions, such as transferring funds to a fraudulent account. BEC attacks are often highly sophisticated and rely on the trust employees place in their company’s leadership.
AI Voice Scams
These are increasing with the use of AI becoming more prominent. Advanced technology is used to mimic a person’s voice, often impersonating a trusted individual like an executive. Scammers can create convincing audio clips or real-time conversations using just a small sample of someone’s voice, which they then use to deceive targets into sharing sensitive information or transferring money. These scams are becoming increasingly sophisticated, making it harder to detect the fraud and emphasising the need for caution when receiving unexpected calls or requests.
Teams invites
Threat actors are increasingly using fake Microsoft Teams invites as a method to launch phishing attacks. By mimicking legitimate Teams meeting invitations, they trick recipients into clicking malicious links or downloading harmful attachments, often disguised as meeting details or files. Since many businesses rely on Teams for communication, these fraudulent invites can appear convincing and bypass typical security filters. Once the user interacts with the malicious content, threat actors can gain access to sensitive data, steal credentials, or install malware, posing a serious risk to organisations.
How to Prevent Phishing
Regularly educate students, faculty, and staff about the risks of phishing and how to recognise suspicious emails, links, and attachments. Conduct phishing simulations to test their awareness and improve their response to real threats.
You can start to see regular theme emerging…Require MFA for all users accessing the institution’s digital resources. This adds an extra layer of security, ensuring that even if a password is compromised, unauthorised access is less likely.
Deploy advanced email filtering solutions that can detect and block phishing emails before they reach users’ inboxes. These tools can identify suspicious senders, links, and attachments.
Create a clear process for reporting suspicious emails or activity. Encourage all users to report any potential phishing attempts immediately, enabling a quick response from the IT team.
Prevention is better than cure
Ensure that all software, systems, and security tools are regularly updated to protect against known vulnerabilities. This includes installing patches, updates, and security fixes promptly.
Implement role-based access controls to ensure that only authorised personnel have access to sensitive data. This reduces the risk of data exposure if a phishing attack is successful.
Continuously monitor for unusual login attempts, unauthorised access, and other suspicious behaviour. Use intrusion detection and prevention systems (IDPS) to identify and respond to threats in real time.
Have a well-defined incident response plan in place to quickly contain and mitigate the damage in the event of a successful phishing attack. This plan should outline steps for communication, containment, investigation, and recovery.
Conclusion
Phishing remains a significant threat to the education sector, and is here to stay. By understanding the risks, recognising common phishing tactics, implementing a robust cybersecurity strategy, and developing a security culture with strong awareness training, educational institutions can protect themselves against these malicious attacks. Prevention starts with awareness and education (see previous blog), so investing in regular training, strong authentication methods, and vigilant monitoring, will go a long way in securing the digital future of our colleges and universities.
By taking proactive steps to combat phishing, the education sector can ensure a safer environment for learning, research, and growth.
Tips
Example fake domains could come in the form of:
info@citibank.com
info@citibαnk.com
Note the A in the domain name. The first domain name is correct and the second is using a Cyrillic alphabet letter. This can be easily fallen for, so stay vigilant and check the sender address and any links contained in emails that you are wary of.
Here are some of the legitimate Microsoft domains where password requests may occur:
- https://login.microsoftonline.com
- https://login.live.com
- https://www.onenote.com
- https://forms.office.com
Use tools such as VirusTotal and Any.Run to check URL links. Check before you click.
Another way to spot phishing links is paying attention to the page titles and favicons. A legitimate page should have a title that matches the service you’re interacting with, without strange symbols or gibberish. Suspicious, random characters or incomplete titles are often signs that something is wrong.
Besides the page title, valid websites have a favicon that corresponds to the service. An empty or generic favicon is an indication of a phishing attempt.
Example:
And keep updated by joining the Jisc cyber community group. With more than 2,200 members, it’s a forum for sharing knowledge, best practice and threat intelligence for the benefit of the whole education and research sector.
Explore the latest cyber security technologies, innovations and future insights from both a national and international perspective at Jisc’s Security Conference 2024, 26-27 November, ICC Wales, and 28 November online.