Education sector is the top target for email fraud

Schools and universities face four times as many phishing attacks as the average organisation, according to Proofpoint’s The Human Factor 2018. 

This makes educational institutions by far the most vulnerable sector to attacks, beating out management consulting, entertainment/media, telecommunications and IT. Alarmingly, the frequency with which the education sector is being targeted has come out of nowhere, with the number of attacks increasing 120% year-on-year. 

Why the education sector? 

You might have thought that the defence or aerospace sectors would be the most targeted by cyber criminals, but they actually ranked near the bottom of the list, with only the utilities sector attacked less often. 

The reason for this, writes Proofpoint, is that “most email fraudsters are after money, not corporate secrets. That makes [the defence sector, etc.] less attractive than those frequently engaged in high-value transactions with complex and multifaceted supply-chain and customer relationships that may be more easily exploited for financial gain.” 

Cyber security is often overlooked in the education sector. This was most notable in the run-up to the EU GDPR (General Data Protection Regulation) compliance deadline, but it will be evident to many people associated with the sector. Schools and universities handle vast amounts of personal data, but they typically don’t have the resources to make sure information is being handled responsibly and that defence mechanisms are sufficient. 

How crooks are tricking us 

Proofpoint notes that cyber criminals are finding a lot of success with scams pretending to be legal notices. Subject lines such as “Lawyer’s call” are among the most common. 

Scams often include “Re:” or “Fwd:” in the subject line and contain fake email chains within the message. This gives the message a (false) context and makes it seem as though it hasn’t come out of the blue. Crooks might forge the email address of one or more of the target’s colleagues to lend it additional credence. 

Additionally, the report shows that there has been a rise in ‘many-to-many’ attacks. Targeting multiple employees simultaneously has been a common technique for years, but most only spoofed the identity of a senior executive or high-ranking individual in a partner company. However, Proofpoint found that, by the end of 2017, 41% of attacks involved more than five spoofed senders. 

“The trend suggests that email fraudsters are adapting as organisations become more aware of email fraud and move to prevent it,” writes Proofpoint. 

How to defend against phishing emails 

In theory, phishing scams should be easy to prevent. They don’t sneak up on organisations unnoticed and they don’t exploit technological vulnerabilities. They are just emails, and they sit in employees’ inboxes in plain sight. If you ignored the message, it would pose no danger whatsoever. 

But people don’t ignore them, because crooks make them believe that isn’t an option. Whether the message tells the recipient that they need to download a file from their lawyer, or that they need to confirm payment details for a package they ordered, phishing emails create a sense of urgency that makes people act rashly. 

The key to successfully defending against phishing emails is to learn to spot when you are being manipulated. Our Phishing Staff Awareness E-learning Course teaches you everything you need to know quickly and conveniently. The course is delivered over the Internet and can be taken by your employees at a time and place that suits them. 

You might also be interested in our Misuse of Email Cc and Bcc Human Patch E-Learning Course. As the name suggests, this course introduces learners to the risks associated with carbon copying (Cc) and blind carbon copying (Bcc) email messages. Upon completing the course, you’ll understand the difference between them and how they should be used to avoid data breaches and other email-based mistakes. 

Take a look at our full range of courses >> 


  • Luke Irwin is a writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology..