As many educational establishments across the Asia-Pacific region continue to work remotely, they rely heavily on email to receive updates from teachers, principals, and heads of departments. Hackers understand this and are taking advantage of the situation, according to new research from Barracuda, a provider of cloud-enabled security solutions.
Evaluating over 3.5 million spear-phishing attacks from June through September 2020, including attacks against more than 1,000 educational institutions such as schools, colleges, and universities in Asia-Pacific and across the globe, the research found that educational institutions were more than twice as likely to be targeted by a business email compromise (BEC) attacks than an average organisation. In fact, results showed that more than 1 in 4 spear-phishing attacks targeting the education sector was a carefully crafted BEC attack.
Spear phishing is a personalised phishing attack that targets a specific organisation or individual, usually for monetary gain. Barracuda’s research shows that while cybercriminals targeted organisations evenly throughout the summer months, there was a significant drop-off in spear-phishing attacks against the education sector in July and August when schools are closed for summer break. These months saw a drop of 10% to 14% below average, with cybercriminals adjusting the types of attacks they used against schools during this time, focusing on email scams, which are less targeted and often sent in large volumes.
The number of attacks picked up substantially in September when students returned, with targeted phishing attacks, including service impersonation, being much more common during the school year, with June and September accounting for almost half of all spear-phishing threats against schools (47% and 48% respectively).
According to the research Gmail accounts were used to launch 86% of all BEC attacks targeting the education sector, using addresses including terms like ‘principal,’ ‘head of department,’ ‘school,’ and ‘president’ to make them look and sound more convincing. Cybercriminals also used ‘COVID-19’ in subject lines to grab their victim’s attention and create a sense of urgency. More worryingly, researchers also found that 1 in 4 malicious messages detected had been sent from a compromised internal account. This is particularly dangerous given that these messages were sent from a trusted source.
“The research shows that educational institutions across Asia-Pacific and the globe are being disproportionately targeted by socially engineered attacks, such as service impersonation and business email compromise, as attackers know that these organisations don’t always have the same level of security sophistication as other organisations, said Mark Lukie, Senior Engineer Manager, Barracuda, Asia-Pacific.
In order to stay protected Barracuda recommends that schools, colleges, and universities prioritise email security that leverages artificial intelligence to identify unusual senders and requests, identify suspicious activity and potential signs of account takeover while adding an additional layer of defence on top of traditional email gateways to protect against spear-phishing attacks. The firm also recommends for educational institutions to review their internal policies to prevent wire transfer fraud.
“Aside from making sure you have the right technology to stay protected, it’s crucial to ensure that both staffers and students have security awareness training, and know-how to recognise and report attacks, which is your first line of defence in keeping your educational institution safe and protected,” he added.