Columbia Advisory Group
Phishing in Academia: Unraveling the Cyber Threats Beneath the Surface
Phishing attacks have become an increasingly common threat to individuals and organizations worldwide, and educational institutions are no exception. Ineffective and outdated security practices, undetected vulnerabilities, and increased sophistication of attacks combine to make educational institutions a potential target for attackers. This article discusses the new-age phishing attacks and tips for educational institutions to stay safe.
With widespread online learning and remote work after the COVID-19 pandemic, educational institutions are becoming a prime target for malicious actors looking to steal confidential and sensitive information or install malicious software on school and student information systems. As more educational institutions rely on technology to provide their services, it is essential to understand the risks associated with phishing threats and take proactive steps to safeguard against them to protect the confidentiality, integrity, and availability of valuable educational information systems.
This article will explore the nature of phishing attacks against educational institutions and how the attack vector is getting more advanced, leveraging technologies like AI (Artificial Intelligence) and Machine Learning (ML). It examines the potential impact of such attacks and how institutions can protect themselves against them. Examining real-world examples of successful phishing attempts against educational institutions can provide valuable lessons in preventing similar incidents. By being aware of the threats and implementing effective security measures, academic institutions can protect themselves and their students from the potentially devastating consequences of a phishing attack.
Statistics: Phishing Against Educational Institutions
Education is the third most targeted industry by phishing attempts worldwide after Finance and Healthcare. There were almost 3.2 million phishing attempts against institutions in the education sector in 2021-2022. Some statistics and trends on phishing against educational institutions based on available data are as follows:
- Education saw a 44% increase in cyberattacks in 2022 compared to 2021.
- There are around 2000 attacks per week per organization against educational institutions, or a 114% increase compared to 2020.
- Educational institutions are the least competent in preventing data from getting encrypted in a cyber attack. Higher education reported the data encryption rates at 74%, and lower education was only a little behind at 72%.
- Six out of ten (62%) educational institutions in the UK reported facing cyberattacks like phishing at least once a week. By contrast, primary schools (12%), secondary schools (23%), and further education colleges (20%) faced fewer breaches. (Official Government Data)
Phishing Attacks – The Tip of the Iceberg
Human-created or mass-spam-type phishing attacks are merely the tip of the iceberg, considering the phishing problems faced by educational organizations. AI-based spear phishing attacks can cause catastrophic consequences in the rapidly changing modern threat landscape.
Adversaries combine data from breaches with Artificial Intelligence to target education end users with highly sophisticated phishing and ransomware attacks. Following are some ways malicious actors can misuse AI and target educational institutions:
- Human Impersonation on social networking platforms.
- AI-based texts, images, and videos to target teachers and students.
- AI and ML to improve algorithms for guessing users’ passwords.
Critical Risks Related to Phishing in the Post-Pandemic Digital World
Following are the key risks educational institutions are facing in the post-COVID digital world:
- AI-Based phishing: Threat actors are now taking in every bit of breached data available on the internet and combining it with AI to target and attack users. As phishing attempts’ sophistication grows, it worries some of the most prominent organizations worldwide. The latest Zscaler ThreatLabz Phishing Report states that global phishing attacks rose 29% over the past year to a record 873.9 million attacks.
- Poor detection of polymorphic malware: Polymorphic malware uses polymorphic code that changes rapidly – every 15-20 seconds! Most educational institutions deploy anti-malware with traditional signature-based detection techniques to detect and block malicious code. However, with polymorphic malware code, the malware would have changed into something new when the software identifies the new signature. Most security solutions can’t keep up with such evolving malware and cannot detect the threats.
- Account takeover fraud: Account takeover (ATO) fraud is an identity theft type common today. In ATO attacks, the bad actor poses as a genuine customer to gain control of an online account, make unauthorized changes and transactions, or sell the verified credentials. Malicious actors carry out ATO fraud in bulk by utilizing credential-stuffing tools and bot attacks. They quickly verify stolen login credentials and make it seem their login attempts originate from multiple IP addresses to bypass security systems. The bots can perform over 100 attacks per second, making it faster and easier for attackers to commit numerous account takeovers.
- The growing number of IoT devices: The pandemic increased the number of IoT (Internet of Things) devices, with teachers conducting online lessons. The rising number of IoT devices and lack of adequate security measures created opportunities for attackers. Shared Wi-Fi passwords, loose security policies, and inefficiently designed IoT infrastructure led to various vulnerabilities that opened doors for malicious actors to access educational systems networks.
- Risks in cloud services: While cloud services are flexible and offer various benefits, including cost-saving, scalability, and efficiency, they are the primary target for threat actors. Misconfigured cloud services are backdoors for cyber-attacks, leading to data breaches, unauthorized access, insecure interfaces, and account hijacking.
How Educational Institutions Can Protect Themselves Against New Phishing Threats
Educational institutions hold significant confidential and sensitive information, including students’ and their parents’ personal and financial details. Many universities also collaborate with government agencies on cutting-edge research, drawing the interest of other national threat actors. Thus, it becomes crucial for them to protect against new-age phishing threats. Following are some ways they can do so:
- Leveraging AI-Based anti-phishing solutions: The application of AI in digital security has several benefits. Detecting vulnerabilities and anomalous patterns within extensive networks is a tedious and complicated task for humans. With AI, educational institutions can analyze data from multiple endpoints faster and more efficiently, quickly detecting threats and vulnerabilities before the malicious actors plan attacks. AI-powered Intrusion Detection Systems (IDS) detect dubious and unusual traffic over regular traffic that enters a network.
- Eliminating local admin rights and managing global admin rights: Giving admin rights to users who don’t require them is a widespread problem that makes malicious actors’ activities easier. Compromising admin-users’ credentials gives them free rein to move about the network, change configurations, install applications, and encrypt or steal data. Educational institutions must maintain efficient user account management with admin permissions across the network (For example, Domain Admins in a Microsoft domain). It includes monitoring the membership of admin groups and changing their passwords when the institute terminates someone who knows those passwords.
- Selecting a trusted partner in the cybersecurity journey: Schools, colleges, universities, and other educational institutions need the best cybersecurity solution that learns and evolves after encountering new threats. A trusted partner will build security layers, such as anti-malware, secure gateways, firewalls, patching software, and other measures to build a strong defense. The layered cybersecurity approach is the safest way to protect devices and data in a continually changing environment. If one layer, for example, a firewall, gets compromised, additional layers will be in place to ensure your data remains untouched.
- Knowing what your network looks like: A practical way to assess your cybersecurity posture is to understand how the attackers view your network. They should only see websites, not admin consoles, file servers, databases, or anything else on an internal network. Institutions must regularly scan the Internet-facing systems to know and limit their exposure. Universities can find various commercial solutions and open-source tools that do an excellent job of assessing network risk factors. Additionally, the US Cybersecurity & Infrastructure Security Agency (CISA) and some state governments offer vulnerability scanning for free.
- Educating faculty, students, and staff: It is crucial to set a security policy that includes passwords, the internet, email, acceptable use policies, etc. Depending on the technology and processes, the policy will set procedures and rules that everyone on the campus must follow while using school Wi-Fi and devices. Once finalized, institutions must publish the security policy to a few easily accessible locations and forward it to new users as an initial step for setting up accounts and devices. It’s essential to keep your faculty and staff aware and educated by holding monthly or bi-monthly training so that they can learn about new threats and brush up on detecting phishing emails.
Malicious actors are constantly refining their techniques and are increasingly targeting educational institutions due to the wealth of sensitive information they hold. AI-based phishing attacks are a particularly concerning threat to schools, and it is crucial for them to be able to detect, monitor, and prevent such attacks before they can cause harm. Colleges and universities should adhere to basic cyber hygiene to protect themselves in the ever-evolving threat landscape. They must also work with trusted partners who can provide them with efficient and state-of-the-art cybersecurity solutions to help them avoid becoming the next ransomware headline.
In addition to basic cybersecurity hygiene, educational institutions should implement multi-factor authentication, regularly backup data, and provide training to staff and students to raise awareness of potential threats. They should also conduct regular security assessments and audits to identify and address vulnerabilities promptly. By taking these proactive steps, educational institutions can protect their sensitive data and prevent costly and damaging cyber attacks.
References
- (2019, August 27). 5 tips for schools battling a rise in cybercrime. Retrieved February 21, 2023, from Avast.com website: https://blog.avast.com/cybersecurity-tips-for-schools
- Rathnayake, D. (2022, November 10). Artificial Intelligence, a new chapter for Cybersecurity? Retrieved February 21, 2023, from Tripwire.com website: https://www.tripwire.com/state-of-security/artificial-intelligence-new-chapter-cybersecurity
- Crumbaugh, J. (2022, October 10). How AI and machine learning are changing the phishing game. Retrieved February 21, 2023, from VentureBeat website: https://venturebeat.com/ai/how-ai-machine-learning-changing-phishing-game/
- (2020, November 23). How cybercriminals misuse and abuse AI & ML: Report trend micro. Retrieved February 21, 2023, from Dynamicciso.com website: https://dynamicciso.com/how-cybercriminals-misuse-and-abuse-ai-ml-report-trend-micro/
- Kyrouz, W. (2023, January 17). 5 cybersecurity tips for higher education institutions. Retrieved February 21, 2023, from Dark Reading website: https://www.darkreading.com/vulnerabilities-threats/5-cybersecurity-tips-for-higher-education-institutions
- Lee, J. (n.d.). What will the post-Covid fraud landscape look like? Retrieved February 21, 2023, from Persona website: https://withpersona.com/blog/what-will-the-post-pandemic-fraud-landscape-look-like
- Marozas, L. (2020, August 13). We need to rethink cybersecurity for a post-pandemic world. Here’s How. Retrieved February 21, 2023, from World Economic Forum website: https://www.weforum.org/agenda/2020/08/rethink-cybersecurity-post-pandemic-world/
- Mascellino, A. (2022, October 14). Education sector experienced 44% increase in cyber-attacks over last year. Retrieved February 21, 2023, from Infosecurity Magazine website: https://www.infosecurity-magazine.com/news/education-experienced-44-increase/
- (2021, March 25). Polymorphic Malware and Metamorphic Malware: What You Need to Know. Retrieved February 21, 2023, from Hashedout website: https://www.thesslstore.com/blog/polymorphic-malware-and-metamorphic-malware-what-you-need-to-know/
Brad Hudson
Cybersecurity Practice Leader
About Columbia Advisory Group
Founded in Dallas in 2012, Columbia Advisory Group LLC (CAG) is an established IT consulting firm renowned for delivering cost-effective, meaningful, and practical IT solutions that solve complex business problems. Our seasoned teams offer comprehensive insight across diverse regulatory and economic environments, providing unbiased, straightforward analysis and recommendations. We pride ourselves on our deep understanding of IT while remaining software and hardware-agnostic. Regardless of your organization’s growth trajectory or economic landscape, we at CAG are adept at adapting to your unique needs and complexity, offering tailored solutions to drive your success.
Contact us at info@columbiaadvisory.com.