Cybercrooks set sights on schools, universities

Educational institutions were more than twice as likely to be targeted by a business email compromise (BEC) attacks than an average organisation as rogue hackers take advantage of schools’ and colleges’ heavy reliance on email at a time of remote working.

Barracuda evaluated over 3.5 million spear-phishing attacks from June through September 2020, including attacks against more than 1,000 educational institutions such as schools, colleges, and universities in Asia-Pacific and across the globe.

Results showed that more than one-fourth of spear-phishing attacks targeting the education sector was a carefully crafted BEC attack.

Barracuda’s research shows that while cybercriminals targeted organisations evenly throughout the summer months, there was a significant drop-off in spear-phishing attacks against the education sector in July and August when schools are closed for summer break. 

These months saw a drop of 10% to 14% below average, with cybercriminals adjusting the types of attacks they used against schools during this time, focusing on email scams, which are less targeted and often sent in large volumes.

The number of attacks picked up substantially in September when students returned, with targeted phishing attacks, including service impersonation, being much more common during the school year, with June and September accounting for almost half of all spear-phishing threats against schools (47% and 48% respectively).

Gmail accounts were used to launch 86% of all BEC attacks targeting the education sector, using addresses including terms like “principal,” “head of department,” “school,” and “president” to make them look and sound more convincing. 

Cybercriminals also used “COVID-19” in subject lines to grab their victim’s attention and create a sense of urgency. More worryingly, researchers also found that one in every four malicious messages detected had been sent from a compromised internal account. This is particularly dangerous given that these messages were sent from a trusted source.

Barracuda recommends that schools, colleges, and universities prioritise email security that leverages artificial intelligence to identify unusual senders and requests, identify suspicious activity and potential signs of account takeover, while adding an additional layer of defence on top of traditional email gateways to protect against spear-phishing attacks.