Phishing in academic environments
Higher education is a popular target for phishing scams. However, the industry’s vulnerability is often overlooked by both cybersecurity specialists and university administrators alike. And the threat is serious:
- The education sector ranked #3 for the highest number of data breaches, according to the Symantec Internet Security Threat Report for 2015
- Higher education data breaches have resulted in the exposure of over 1.3 million identities
- 56% of universities have seen an increase in phishing attacks within the last year
- It’s not just the little guys — major universities like Harvard, Penn State and Johns Hopkins have all been hacked since 2015
See Infosec IQ in action
Why do hackers target higher education?
There are a few key reasons why higher education is such an appealing target to hackers.
Colleges and universities are a one-stop shop for everything cybercriminals crave — personal data, confidential research information and deep pockets. Universities keep records of personally identifiable information belonging to students, faculty and staff. This includes Social Security numbers, financial information and more. Universities are also home to sensitive and sometimes secretive research information that can be stolen and sold to foreign entities.
But it’s not just the data gold mine that attracts hackers. Colleges and universities are particularly vulnerable to cyberattacks, and attackers like an easy target. Thousands of users — many of them students who are unaware of cybersecurity threats — make the network incredibly easy to break into via phishing scams. Add in the fact that most students use their own devices like personal laptops and cell phones, and you have an information security nightmare on your hands.
In fact, three in ten data breaches at colleges are caused by the “unintentional disclosure” of sensitive information via phishing scams or the misuse of social media, according to a survey from EdTech.
What do hackers want from universities?
Colleges and universities face cyberthreats that are unique compared to other popularly targeted industries like retailers and banks. Unlike financial institutions, whose data usually includes bank account information and credit card numbers, universities have proprietary research data and student information. Malicious actors specifically target universities in the hopes of accessing the sensitive data stored in their systems.
It’s no surprise that universities generate vast amounts of research. What may come as a surprise, though, is that hackers want to get ahold of that information. Scientific, medical and defense research are all hot commodities, in addition to public policy research regarding nuclear issues and economic forecasting. In cases of intellectual property theft, hackers are usually backed by foreign governments that are willing to pay handsomely for that information.
The most notorious example of this occurred in April 2017 when Chinese hackers attacked 27 universities to steal research used by the U.S. military. Among the targeted schools were MIT, Duke University and Pennsylvania State University. As of March 2019, none of the targeted schools confirmed if the attacks were successful, so we don’t know the full extent of the damage or what information — if any — fell into malicious hands.
Successfully resisting these attacks can be difficult because they’re often backed by foreign governments, which naturally have a much deeper resource pool than the victimized schools.
Schools are home to students — sometimes tens of thousands of them — and each of those students has Personally Identifiable Information (PII). University databases contain names, contact info, Social Security numbers, credit card numbers, addresses, student log-in credentials and more.
Different departments may have different resources for hackers to target. Financial aid offices store information related to the FAFSA, including household tax returns and income details. Admissions offices have application details on file from students who don’t even attend the university. Thanks to all this information, universities are a PII goldmine for attackers.
Some attackers want nothing more than plain old money. Unfortunately, they’re willing to do dangerous things to get it. These attacks vary widely in terms of who’s being targeted and what the attackers are looking to gain.
Faculty members have reported individual attacks where scammers emailed them from a colleague’s email address, asking for money or gift cards. Once one email account is compromised, it’s incredibly easy to exploit the person’s professional network since faculty contact information is posted publicly.
In the grand scheme of things, asking for an iTunes gift card is more like pesky than threatening. However, other schemes have gone after bigger payoffs.
Ransomware has been a particularly popular method for this kind of scheme. A private college in New York City was hit with an attack that locked students, faculty and staff out of the school’s website, email and learning management system. The attackers demanded $2 million in Bitcoin in exchange for restoring access. That’s a big price tag for colleges, which typically don’t have a lot of wiggle room in the budget.
Valuable information and resources
University libraries have exclusive access to hundreds and sometimes thousands of journals and publications. Some of these journals contain research valuable to people living in countries with restricted access. Getting hold of this information is as simple as gaining access to a student’s account, downloading the data and selling it to an interested party.
Keeping virtual campuses safe
What can institutions do to reduce data breaches in higher education? The first step is prevention. Access control policies like multifactor authentication will make it much more difficult for unauthorized users to gain access to sensitive data. Educating students and faculty on cyber-hygiene best practices and how to spot phishing scams would cut down on unintentional disclosures.
Another tactic is adopting a defensive mindset. With the prevalence of phishing attacks on universities, staff should assume a breach is imminent. To think otherwise only leaves the school open to attacks, and leaves blind-sided staff scrambling to do damage-control for an attack they weren’t prepared for. Instead, they should already have a plan in place for detecting and containing incoming phishing threats.
Colleges and universities shouldn’t wait until a security breach occurs to put a cybersecurity strategy in place. In a world where phishing attacks take place on a daily basis, it’s best to adopt a defensive posture and assume that a breach could take place at any time. When it comes to taking steps to reduce cybersecurity risks and protect data belonging to students and staff, there’s no better time than now.
Free training resources
- On Red Alert, Inside Higher Ed
- The State of Email Security Report 2019, Mimecast
- Phishing Scheme Targets Professors’ Desire to Please Their Deans — All for $500 in Gift Cards, The Chronicle of Higher Education
- Hackers Demand $2 Million From Monroe, Inside Higher Ed
- Hackers Continue to Target Higher Education, Axiom
- ISTR20 - Internet Security Threat Report, Symantec