Educational institutions are being disproportionately targeted by spear-phishing attacks, according to a new study by Barracuda Networks.
The security firm’s latest Threat Spotlight analysis found that in the period from June to September 2020, over 1000 schools, colleges and universities faced more than 3.5 million spear-phishing attacks.
More than a quarter of these were business email compromise (BEC) attacks, a method which is over twice as likely to be used against educational institutions compared with an average organization across all sectors.
More than four in 10 (41%) of all attacks targeting education were spear-phishing, according to the analysis, with 28% scamming attempts and 3% related to extortion.
Spear-phishing attacks dropped off in July and August when schools were closed, and were at their highest in June and September: 11% and 13% higher than average, respectively.
Cyber-criminals increasingly used the topic of COVID-19 as a lure for these phishing attacks, with subject headings including ‘COVID19 NEW UPDATES’; ‘Covid-19 Update Follow Up Right Now’; ‘COVID-19 SCHOOL MEETING’ and ‘Re: Stay Safe’.
Barracuda also highlighted examples the potentially devastating costs of these types of attacks, including the Manor Independent School District in Texas reporting that a seemingly normal school-vendor transaction resulted in a loss of $2.3 million.
Michael Flouton, VP email protection for Barracuda Networks, commented: “Cyber-attackers have come to understand that education institutions don’t often have the same level of security sophistication as in other organizations, and therefore, they will send carefully crafted email messages designed to trick unknowing and untrained victims into leaking personal or confidential information, such as login credentials, student records, or payment information.
“In light of COVID-19 and the transition to remote learning environments, the quantity of data stored on school and university servers has surged, and thus, so too has the quantity of cyber-attacks facing them.
“Therefore, schools and universities must combat this threat by investing in email security that leverages artificial intelligence to help identify unusual senders, intercept suspicious requests and block spear-phishing attacks. Additionally, account takeover protection, security awareness education for staff and students, and a reconstruction of internal policies, are all imperative to preventing human error from leading to costly mistakes in the future.”