Phishing emails are an expected part of work-life for adults – but what about at school? University students are being targeted by cybercriminals at an increasing rate.
The “back to school” season is a busy one.
University students, whether starting out as freshman or returning to their studies, have a lot to take care of, from getting school supplies to settling into their student housing to making sure they’re properly registered for all their classes.
A big part of going to university these days is checking your email. Professors, Teaching Assistants, group leaders, intermural team captains and more all use email as a primary source of communication.
The end result? Student inboxes are stuffed throughout September.
And it’s this oversaturation of emails that makes it so easy for a dangerous phishing email to go unnoticed until it’s too late…
University Student Phishing Is On The Rise
Phishing is a method in which cybercriminals send fraudulent emails that appear to be from reputable sources in order to get recipients to infect themselves with malware.
With only a surprisingly small amount of information, cybercriminals can convincingly pose as university administration members and those in positions of authority in order to persuade students to click a link that will infect them with malware.
Researchers from Proofpoint have found that instances of email fraud (i.e., phishing) have increased the most year after year in the education sector when compared to other industries. In 2018, there was a 192% increase from the previous year with an average of 40 attacks per organization.
Why Are Students Being Targeted?
In simple terms? Because it’s easy.
“Schools balance a culture of openness and information-sharing with rules and controls to effectively protect user privacy and system security while the severity and sophistication of attacks against schools continue to increase,” said Chris Dawson, head of threat intelligence at Proofpoint, to Threatpost. “Cybercriminals capitalize on this atmosphere and target both students and staff to gain access to credentials and vast stores of sensitive data available in student information systems.”
As stated above, students have a lot of emails to sort through in September, many of which come with urgent deadlines that need to be met in order to make sure they properly registered for the year’s courses. All these factors together make it likely that they’ll click a link in a seemingly safe email, or give up their password without a second thought.
How Do These Phishing Scams Work?
A notable example of these student-targeted phishing campaigns is TA407/Silent Librarian, which has three key components:
- The email appears to come from the associated university library and informs the student that their library account has expired.
- To reactivate their account, the student is directed to click an included link.
- The email features a signature that matches the design, colors, and name of the associated university.
When students click on the link, they are brought to a fake login portal, and directed to input their username and old password. Once they have, it’s game over – they’ve given the hacker their login info.
What Does This Mean For Long Island Private Schools?
While you may not work with a university, if you operate in the education sector, then you need to be aware of scams like this. The same type of strategy can work just as effectively against your students via their school email accounts, as well as your staff members.
By creating urgency, and appearing to come from a trusted source, a cybercriminal can trick you into downloading malware or giving up sensitive information. That’s why you, your colleagues and your students need to be aware of how phishing works and how to spot a suspicious email:
- Incorrect Domain: Before even taking a look at the body of the message, check out the domain in the sender’s address. Maybe they claim to be from you’re an associated educational organization– but talk is cheap. It’s much more difficult to spoof an actual domain name, and so it’s more common to see domains that are closer, but not 100% correct. If it seems fishy, it probably is.
- Suspicious Links: Always be sure to hover your mouse over a link in an email before clicking it. That allows you to see where it actually leads. While it may look harmless, the actual URL may show otherwise, so always look, and rarely click.
- Spelling and Grammar: Modern cybersecurity awareness comes down to paying attention to the details. When reading a suspicious email, keep an eye out for any typos or glaring errors. Whereas legitimate messages would be properly edited, phishing emails are notorious for basic spelling and grammatical mistakes.
- Specificity: Another point to consider is how vague the email is. Whereas legitimate senders will likely have your information already (such as your first name) and will use it in the salutation, scammers will often employ vaguer terminology – this allows them to use the same email for multiple targets in a mass attack.
- Urgent and Threatening: If the subject line makes it sound like an emergency — “Your account has been suspended”, or “You’re being hacked” — that’s another red flag. It’s in the scammer’s interest to make you panic and move quickly, which might lead to you overlooking other indicators that it’s a phishing email.
- Attachments: Phishers will often try to get you to open an attachment, so, if you see an attachment in combination with any of the above indicators, it’s only more proof that the email is likely part of a phishing attempt.
Long Island School IT Support To Keep Your School Secure
In addition to a range of other managed IT services, LI Tech Advisors will protect your Long Island private school’s network with robust security solutions. Anti-virus, anti-malware, firewalls, and emergency data backup will help to minimize threats against your staff and your student body.
With our support, your teachers and admin staff won’t have to worry every time they or a pupil opens an email – they can focus on cultivating an effective learning environment instead.
Like this article? Check out the following blogs to learn more: