Criminals ramp up cyberattacks on education

Schools bombarded with thousands of spear-phishing attacks every month

Posted 30 October 2020 by Christine Horton

More than 1,000 educational institutions, such as schools, colleges and universities globally have been targeted by over 3.5 million spear-phishing attacks from June through to September 2020.

That’s according to new research from Barracuda Networks’ most recent ‘Threat Spotlight’, which found that educational institutions are more than twice as likely to be targeted by a business email compromise (BEC) attack than an average organisation.

In fact, more than one in four spear-phishing attacks that targeted the education sector was a carefully crafted BEC attack. For reference, just 11 percent of spear-phishing attacks across all sectors are reported to be BEC attacks.

Last month the National Cyber Security Centre (NCSC) as issued an alert to the academic sector following a spate of cyberattacks against UK schools, colleges and universities. The warning followed a spike in ransomware attacks against education establishments in August, which NCSC said caused “varying levels of disruption”.

Additionally, Barracuda says that phishing attacks made up 41 percent of all attacks targeting education. Twenty-eight percent were made up by scamming attempts, and three percent were said to be related to extortion.

“Cyberattackers have come to understand that education institutions don’t often have the same level of security sophistication as in other organisations,” said Michael Flouton, VP email protection for Barracuda Networks. “Therefore, they will send carefully crafted email messages designed to trick unknowing and untrained victims into leaking personal or confidential information, such as login credentials, student records, or payment information.

“In light of COVID-19 and the transition to remote learning environments, the quantity of data stored on school and university servers has surged, and thus, so too has the quantity of cyberattacks facing them.”

Despite NCSC’s UK warning, Barracuda researchers observed that there was a drop-off in spear-phishing attacks against the education sector in July and August globally when schools were closed for the summer. These months saw a drop in cyberattacks of 10 to 14 percent below average. However, June and September, which are usually the last and first months of the academic year, saw a surge in spear-phishing attacks. These were 11 percent higher than the average in June and 13 percent higher in September.

In light of Covid-19, the ‘Threat Spotlight’ also observed an increasing number of email spear-phishing attacks using topical subject headings to grab victims’ attention. These include: ‘COVID19 NEW UPDATES’; ‘Covid-19 Update Follow Up Right Now’; ‘COVID-19 SCHOOL MEETING’ and ‘Re: Stay Safe’.

Said Flouton: “Schools and universities must combat this threat by investing in email security that leverages artificial intelligence to help identify unusual senders, intercept suspicious requests and block spear-phishing attacks. Additionally, account takeover protection, security awareness education for staff and students, and a reconstruction of internal policies, are all imperative to preventing human error from leading to costly mistakes in the future.”