40% of the top twenty universities in the US aren’t using DMARC to mitigate phishing attacks that impersonate the universities’ domains, according to researchers at Tessian. Additionally, the universities that are using DMARC haven’t configured their policies to quarantine or reject emails from unauthorized senders.
DMARC, or Domain-based Message Authentication, Reporting and Conformance, is an email authentication protocol that enables email servers to verify that an email was sent from the domain it claims to come from. If it isn’t set up properly, however, it won’t make much of a difference.
“Without DMARC records in place, or without having DMARC policies set at the strictest settings, hackers can easily impersonate a university’s email domain in phishing campaigns, convincing their targets that they are opening a legitimate email from a fellow student, professor or administrator at their university,” Tessian explains. “From that phishing email, hackers could lure staff or students to a fake website that has been set up to steal account credentials or request that their targets send personal or financial information. Against the backdrop of ‘back to school’ and the shift to hybrid learning environments (with some universities restricting access to campuses), it wouldn’t seem out of the ordinary for a university to request this information. Students, therefore, may not realise they are being scammed – especially if the email domain looks legitimate.”
While DMARC is a good security measure, Tessian notes that it won’t prevent impersonation attacks entirely.
“Firstly, DMARC records are inherently public, and an attacker can use this information to select their targets and attack methods, simply by identifying organizations without an effective DMARC record,” the researchers write. “If your company has a strict email policy in place, the attacker can still carry out an advanced spear phishing attack by registering look-a-like domains, betting on the fact that a busy employee or distracted student may miss the slight deviation from the original domain. Secondly, while your organization might have DMARC in place, your external contacts may not. This means that while your company domain is protected against direct impersonation, your employees may be vulnerable to impersonation of external contacts like partners, suppliers or government bodies.”
As technical defenses improve, attackers will increasingly turn to methods that allow them to manipulate humans rather than exploiting vulnerabilities in technology. New-school security awareness training can teach your employees, maybe even your students, if they’re willing to learn, how to defend themselves against these attacks.
Tessian has the story: https://www.tessian.com/blog/back-to-school-scams/