Higher ed particularly at risk of email phishing attacks, report finds


Have you ever clicked on a link in an email that looked like it came from your university but instead the click infected your device with malware?

There’s probably not much protecting you from it. A new report by 250ok, an email marketing and analytics company based in Indianapolis, has found that 88.8 percent of top-level .edu domains have no protections in place against spoofing, phishing and email forgery schemes.

Matthew Vernhout, director of privacy at 250ok and the author of the report, told EdScoop that he believes there’s a knowledge gap in the higher ed space.

“I think part of it is they don’t view themselves as a target. ‘We don’t do e-commerce, we’re not a bank,’” he said. “But there have been several universities that [got] ransomware buried in their computers and it cost them real money … to unlock their computers.”

The report offers a number of recommendations to address the risk.

First, at least implement SPF, the Sender Policy Framework. When an email is received on a university’s network, servers can check whether the message came from a legitimate source. Ideally, the higher ed tech staff also should implement DKIM, DomainKeys Identified Mail, which uses public key encryption to validate that the sender actually composed the message.

“SPF and DKIM are both open-source standards,” Vernhout said. “SPF is supported everywhere; DKIM requires a little piece of technology to be installed in order to properly assign messages and properly match the public and private keys.”

The next step — the “gold standard,” as the report calls it — is to implement DMARC, Domain-based Message Authentication, Reporting and Conformance, an email authentication, policy and reporting protocol that helps organizations prevent spoofing of their domains. The U.S. federal government is still working on implementing DMARC.

“These three technologies are complementary; they serve slightly different functions,” he explained. “DMARC layers on top of those, so you need one or the other, or both, to function well. It allows the domain owner, the recipient, if authentication fails,” to select whether to quarantine or reject the dubious email.

“Twitter did a case study on their implementation of DMARC and they saw phishing attacks go away virtually overnight,” Vernhout said. “It makes you a much harder target; it’s easier for hackers to move to softer targets.”

The data used in the 250ok study comes from a February
analysis of more than 3,600 top-level .edu domains controlled by accredited
higher ed institutions in the United States.