Most colleges aren’t maximizing phishing protections, survey says

Of nearly 2,000 higher education institutions using .edu email domains in the U.S., only 152 institutions have implemented the strictest security policies to flag, report and remove outbound phishing attempts, the email security provider EasyDMARC reported Tuesday.

The majority of institutions surveyed by EasyDMARC had implemented the Domain-based Message Authentication and Reporting and Conformance, or DMARC, standard that detects suspicious looking emails. However, the company said, most are not implementing the strictest DMARC policy, known as the “reject” policy, leaving users vulnerable to phishing attempts.

According to EasyDMARC, institutions should be striving for the “reject” policy, as this prevents malicious emails from ever making it into a recipient’s inbox. In its default “monitoring mode” DMARC reports messages that look suspicious, but may still allow them to reach a recipient’s inbox. A “quarantine” policy is used to file suspicious mail into a spam folder or warn readers to take extra caution, but a “reject” policy advises receiving servers to stop the message from reaching the recipient altogether.

“Phishing and spoofing are the main vectors for most modern cyber threats, including ransomware,” Gerasim Hovhannisyan, EasyDMARC’s CEO and co-founder, said in a press release. “That’s why it’s very concerning to see that less than one in ten US higher ed institutions have adopted adequate protection against these attacks by adequately implementing a DMARC solution.”