Proofpoint Warns UK Universities Failing On Email Security

University, Education © Sam72 Shutterstock 2012

Nearly all top universities in UK, US and Australia lack basic cybersecurity measures, and are not proactively blocking fraudulent emails says Proofpoint

Staff and students at top universities in the UK, US and Australia are being put at risk due to the lack of adequate email security measures.

This is the warning from security specialist Proofpoint, which released research that identifying that 97 percent of the top universities in the UK, US and Australia have failed to implement adequate cybersecurity controls to actively block fraudulent emails from reaching recipients.

The shocking finding that none of the UK’s top 10 universities have adequate email protection comes ahead of A-level results day on the 18th of August.



Education security

This is not surprising considering previous examples of email-based compromises at UK educational establishments.

In 2012 the University of Cambridge’s email service was hacked by a hacktivist group supporting Wikileaks Julian Assange. Details of email accounts were posted online.

University of Cambridge KingsCollegeChapelWest

In 2017 a Freedom of Information (FoI) request to UK universities found 70 percent of respondents admitting to falling victim to a phishing attack.

That same year Edinburgh University students were shocked when a “system error” sent emails to final year students informing them they would not graduate in the summer.

In March 2021 email access for 37,000 students was cut off by a ransomware attack affecting a London-based group of schools called the The Harris Federation, a not-for-profit charitable trust that operates 50 primary and secondary academies in and around London.

And it seems that universities are not learning from previous cases, after Proofpoint’s research found that 97 percent of the top ten universities in the US, UK and Australia are not taking appropriate measures to proactively block attackers from spoofing their email domains.

By not doing this, these educational establishments increase the risk of email fraud, Proofpoint warned.

And this figure rose to 100 percent amongst the top 10 UK universities, with none actively blocking fraudulent emails from reaching recipients.

DMARC analysis

Proofpoint said these findings are based on Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of the top ten universities in each country.

DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender’s identity before allowing a message to reach its intended destination.

Proofpoint noted that with a record 320,000 UK sixth-formers applying for higher education places this summer, students will be eagerly awaiting email correspondence regarding their applications when A Level results are announced on the 18th of August.

The uncertainty and unfamiliarity with the process, as well as the increase in email communication provides a perfect storm for cybercriminals to trick students with fraudulent phishing emails, said the security firm.

“Higher education institutions are highly attractive targets for cybercriminals as they hold masses of sensitive personal and financial data,” said Adenike Cosgrove, cybersecurity strategist at Proofpoint.

Proofpoint’s Adenike Cosgrove

“The Covid-19 pandemic caused a rapid shift to remote learning which led to heightened cybersecurity challenges for education institutions opening them up to significant risks from malicious email-based cyber-attacks, such as phishing,” said Cosgrove.

“Email remains the most common vector for security compromises across all industries,” Cosgrove added. “In recent years, the frequency, sophistication, and cost of cyber attacks against universities have increased. It is the combination of these factors that make it especially concerning that none of UK top ten universities is fully DMARC compliant.”

Notable findings

The key findings of the Proofpoint research are:

  • None of the UK’s top 10 universities have implemented the recommended and strictest level of protection (reject), which actively blocks fraudulent emails from reaching their intended targets, meaning all are leaving students open to email fraud.
  • Whilst 80 percent have taken the initial steps by publishing a DMARC record, the majority (75 percent) only have a monitoring policy in place for spoofed emails. This policy freely allows potentially malicious spoofed emails into the recipient’s inbox.
  • 2 out of the 10 top UK universities (20 percent) do not publish any level of DMARC record.

Proofpoint’s recent Voice of the CISO report meanwhile found that Chief Information Security Officers (CISOs) in the education sector underestimate threats from human error, and education sector CISOs are felt to be the least backed by their organisation, compared to all other industries.

But as the world switches to remote (and more recently, hybrid) learning, Proofpoint anticipates the threat to universities will continue to increase.

This means that the lack of protection against email fraud is commonplace across the education sector, exposing countless parties to impostor emails, also referred to as business email compromise (BEC).

BECs are a form of social engineering designed to trick victims into thinking they have received a legitimate email from an organisation or institution. Cybercriminals use this technique to extract personal information from students and staff by using luring techniques and disguising emails as messages from the university IT department, administration, or a campus group, often directing users to fake landing pages to harvest credentials.

Best advice

“Email authentication protocols like DMARC are the best way to shore up email fraud defences and protect students, staff, and alumni from malicious attacks,” noted Cosgrove. “As holders of vast amounts of sensitive and critical data, we advise universities across the UK to ensure that they have the strictest level of DMARC protocol in place to protect those within their networks.”

“People are a critical line of defence against email fraud but their actions remain one of the biggest vulnerabilities for organisations,” Cosgrove concluded. “DMARC remains the only technology capable of not only defending against but eliminating domain spoofing or the risk of being impersonated. When fully compliant with DMARC, a malicious email can’t reach your inbox, removing the risk of human interference.”

In the meantime, with the lack of adequate protections for students and staff, Proofpoint recommends the following:

  • Check the validity of all email communication and be aware of potentially fraudulent emails impersonating education bodies.
  • Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked.
  • Follow best practices when it comes to password hygiene, including using strong passwords, changing them frequently and never re-using them across multiple accounts.