Back-to-School: a Buzzkill in More Ways than One



school phishing scam40% of the top twenty universities in the US aren’t using DMARC to mitigate phishing attacks that impersonate the universities’ domains, according to researchers at Tessian. Additionally, the universities that are using DMARC haven’t configured their policies to quarantine or reject emails from unauthorized senders.

DMARC, or Domain-based Message Authentication, Reporting and Conformance, is an email authentication protocol that enables email servers to verify that an email was sent from the domain it claims to come from. If it isn’t set up properly, however, it won’t make much of a difference.

“Without DMARC records in place, or without having DMARC policies set at the strictest settings, hackers can easily impersonate a university’s email domain in phishing campaigns, convincing their targets that they are opening a legitimate email from a fellow student, professor or administrator at their university,” Tessian explains. “From that phishing email, hackers could lure staff or students to a fake website that has been set up to steal account credentials or request that their targets send personal or financial information. Against the backdrop of ‘back to school’ and the shift to hybrid learning environments (with some universities restricting access to campuses), it wouldn’t seem out of the ordinary for a university to request this information. Students, therefore, may not realise they are being scammed – especially if the email domain looks legitimate.”

While DMARC is a good security measure, Tessian notes that it won’t prevent impersonation attacks entirely.

“Firstly, DMARC records are inherently public, and an attacker can use this information to select their targets and attack methods, simply by identifying organizations without an effective DMARC record,” the researchers write. “If your company has a strict email policy in place, the attacker can still carry out an advanced spear phishing attack by registering look-a-like domains, betting on the fact that a busy employee or distracted student may miss the slight deviation from the original domain. Secondly, while your organization might have DMARC in place, your external contacts may not. This means that while your company domain is protected against direct impersonation, your employees may be vulnerable to impersonation of external contacts like partners, suppliers or government bodies.”

As technical defenses improve, attackers will increasingly turn to methods that allow them to manipulate humans rather than exploiting vulnerabilities in technology. New-school security awareness training can teach your employees, maybe even your students, if they’re willing to learn, how to defend themselves against these attacks.

Tessian has the story: https://www.tessian.com/blog/back-to-school-scams/


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/phishing-security-test-offer



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews