Threat Spotlight: Spear-phishing attacks targeting education sector
As many schools and colleges continue to be remote, they rely heavily on email to receive updates from teachers, principals, and heads of departments. Hackers understand this and are taking advantage of the situation.
From June through September 2020, Barracuda researchers evaluated over 3.5 million spear-phishing attacks, including attacks against more than 1,000 educational institutions such as schools, colleges, and universities.
Our researchers found that educational institutions are more than twice as likely to be targeted by a business email compromise (BEC) attacks than an average organization. In fact, more than 1 in 4 spear-phishing attacks that we saw targeting the education sector was a carefully crafted BEC attack.
Recent high-profile BEC attacks targeting schools and colleges demonstrate the devasting costs of this kind of attack:
- Manor Independent School District in Texas reported that a seemingly normal school-vendor transaction resulted in a loss of $2.3 million.
- Scammers used a fraudulent email to steal $3.7 million from Scott County Schools in Kentucky.
Here’s a closer look at the trends Barracuda researchers found in the ways cybercriminals are targeting schools, as well as solutions organizations can use to defend against these attacks.
Spear-phishing attacks targeting schools ― Spear phishing is a personalized phishing attack that targets a specific organization or individual, and cybercriminals are constantly adapting how they use these attacks against different industries, such as education.
Our research shows that, overall, cybercriminals targeted organizations evenly throughout the summer months, with an increase in the number of attacks in September. In comparison, there was a significant drop-off in spear-phishing attacks against the education sector in July and August when schools are closed for summer break. These months saw a drop of 10% to 14% below average, and the number of attacks picked up substantially in September when students returned.
Cybercriminals also adjusted the types of attacks they used against schools during summer break. In July and August, attacks against schools focused on email scams, which are less targeted and often sent in large volumes.
Targeted attacks, such as phishing that includes service impersonation, were much more common during the school year. In June and September, these types of attacks made up almost half of all spear-phishing threats against schools (47% and 48% respectively). This number dropped by more than half in July when schools were out. Our researchers observed a similar trend for business email compromise attacks, where a number of these attacks increased during school time. For other industries, the distribution of different attack types stayed relatively stable across the months.
According to our analysis, attackers used Gmail accounts to launch 86% of all BEC attacks targeting the education sector. We have seen similar trends in attacks on organizations overall, where hackers give preference to Gmail accounts for launching BEC attacks. Cybercriminals prefer to use well-known email providers like Gmail because they are easy to register, free, and have a higher reputation suitable for highly targeted BEC attacks.
Attackers also customize their malicious email addresses using terms like ‘principal,’ ‘head of department,’ ‘school,’ and ‘president’ to make them look and sound more convincing. Email addresses that we saw used in BEC attacks against schools in this analysis include:
Cybercriminals create targeted, relevant subject lines to grab the victim’s attention and create a sense of urgency. For example, in this analysis we saw a significant number of attacks using COVID-19 in their subject lines:
- COVID19 NEW UPDATES
- Covid-19 Update Follow Up Right Now
- COVID-19 SCHOOL MEETING
- Re: Stay safe
Compromised EDU accounts used as launch pads for email attacks
Barracuda researchers also analyzed malicious email messages that were sent from potentially compromised internal accounts.
When looking at the total number of malicious messages (both inbound and outbound) for all organizations, our analysis found that around 1 in 4 messages detected were sent from internal email accounts. This percentage was significantly higher for education sector, with 57% of malicious emails sent from internal accounts. This means accounts in the education industry were used to send more attacks than they received.
These compromised accounts are highly valuable for cybercriminals due to the high degree of trust associated with emails sent from these legitimate addresses, which makes them a good launch pad for further email attacks. We saw some large-scale campaigns leaving these organizations because scammers want to send as many emails as possible before their malicious activity is detected and they are locked out.
How to Protect Your Educational Organization
Invest in protection against targeted phishing attacks. Education sector is disproportionately targeted by socially engineered attacks, such as service impersonation and business email compromise. Attackers know that these organizations don’t always have the same level of security sophistication as other organizations, and they take advantage of it. Schools, colleges, and universities need to prioritize email security that leverages artificial intelligence to identify unusual senders and requests. This additional layer of defense on top of traditional email gateways will provide substantial protection against spear-phishing attacks for both staff and students.
Get account takeover protection today. Educational institutions are more susceptible to account takeover than an average organization because many school districts and colleges don’t have necessary tools and resources to protect against this threat. Invest in technology that will allow you to identify suspicious activity and potential signs of account takeover.
Improve security awareness education. Users are the last line of defense. Educate them about email threats faced by educational institutions today. Ensure both staffers and students can recognize attacks, understand their fraudulent nature, and know how to report them. Security awareness training is especially important now when remote learning is a such a big part of the education system and students and teachers rely on technology and email for both communication and educational purposes.
Set up internal policies to prevent wire transfer fraud. All organizations, including educational institutions, should establish and regularly review existing company policies to ensure that personal and financial information is handled properly. Help employees avoid making costly mistakes by creating guidelines and putting procedures in place to confirm all email requests for wire transfers and payment changes. Require in-person or telephone confirmation and/or approval from multiple people for all financial transactions.