Protecting Higher Education: Rise of Email Attacks Impacting Students, Faculty, and Staff

Higher education plays a crucial role in developing students and providing valuable research, while also being the recipient of millions of dollars in grant funding and donations each year. Unfortunately, this makes colleges and universities prime targets for cyberattacks as bad actors look to steal personal information, access funds or intellectual property, and make ransom demands. As such, cybersecurity must be a top priority for higher education institutions hoping to protect the privacy and security of their students, faculty, staff, alumni, and investments.

Phishing attacks are a common hook in the cybercriminal’s tacklebox. By sending malicious links in seemingly legitimate emails, attackers deceive targets into sharing usernames, passwords, or financial information. And if malicious actors capture important information, they often use it for additional attacks—using compromised accounts to send even more legitimate-looking emails across campus.

For example, just last year Duke University suffered a massive phishing campaign. The attack was launched in two phases, first using non-Duke email addresses that encouraged students to share sign-in information to avoid losing account access. Attackers then used these stolen passwords to launch a second wave of attacks from Duke email addresses in hopes of stealing financial information.

Over the past year, phishing attacks against higher education institutions have risen. Brief reprieves sometimes accompany holidays and summer breaks, but once classes resume, attackers ramp up their attempts in hopes of ensnaring staff and students. For example, there was an average of 18.5 phishing attacks per 1,000 mailboxes each week in the first half of 2022. In comparison, the first half of 2023 saw an average 74 phishing attacks per week.

While phishing makes up half of the cyberattacks against higher education, extortion, scams, and malware are still major concerns.

In 2020, the University of California, San Francisco (UCSF) experienced a ransomware attack that compromised patient records at its School of Medicine. UCSF made the difficult decision to pay a portion of the ransom to unlock the maliciously encrypted data—costing them $1.14 million.

But while the UCSF incident is notable for its high cost, these attacks are fairly common. More recently in June 2023, a malware attack took the digital services at Stephen F. Austin State University offline. Bluefield University in Virginia was hit with ransomware in April of the same year.

Higher education institutions are also targets for business email compromise or BEC. By impersonating legitimate contacts, attackers use social engineering tactics to steal personal information and redirect financial transactions. Southern Oregon University, for instance, lost $1.9 million in a BEC scheme that tricked employees into a fraudulent transfer in 2017.

BEC attacks have the potential to spiral out of control quickly. In 2019, Oregon State University reported a security incident in which hackers compromised an employee’s email account. From there, the hacker sent phishing emails to students and alumni. Still worse, the compromised account had access to the names, birthdates, and social security numbers of more than 600 students.

Unfortunately, BEC and social engineering attacks could become even more convincing with generative AI. Bad actors can use ChatGPT, Google Bard, and similar tools to research targets and quickly produce high-quality text copy to trick victims.

Email is a soft target for cyberattackers. It’s a numbers game of sending a slew of malicious emails in hopes that a few succeed, and while faculty/staff may be aware of malicious attacks, students are likely not as security-conscious—making them an easy target for initial entry into the university email system.

Since attackers only need to land an attack to succeed, the pressure is on colleges and universities to combat risks before they become problems. This requires proactive cybersecurity with tools that preempt malicious behavior before it hits your inbox. By understanding and developing an organizational baseline of good behavior, cloud-based email platforms like Abnormal go beyond traditional email security to detect emerging attacks and remediate compromised accounts—before they can be used to gain additional access.

Explore what Abnormal can do for your college or university by downloading our higher education datasheet, or scheduling a demo today!