Most top US higher ed institutions fail to protect students from phishing

88.8 percent of the root domains operated by top colleges and universities in the United States are putting their students, staff and other recipients at risk for phishing attacks that spoof the institution’s domain, according to 250ok.

Phishing and spoofing attacks against consumers are likely when companies do not have a published Sender Policy Framework (SPF) or Domain-based Message Authentication, Reporting and Conformance (DMARC) policy in place.

SPF is an email validation system that detects spoofing attempts, or a third party disguising itself as a particular sender using a counterfeit email address. DMARC is considered the industry standard for email validation to prevent such attacks.

The report, which analyzed 3,614 domains operated by the top accredited US colleges and universities by student enrollment, reveals the domains controlled by these institutions indexed lower in their adoption of a DMARC policy (11.2 percent) when compared to top US and EU retailers (15.8 percent).

“Since universities communicate with a wide range of constituencies, leaving email security up to chance is dangerous,” said Matthew Vernhout, director of privacy at 250ok. “Failing to publish basic authentication records and a DMARC policy leaves students, faculty, and other recipients unnecessarily exposed to phishing attacks.”

“Being compliant and understanding the implications of spoofers using your domain needs to be at the forefront of the mind of anyone who is sending email, especially in the higher ed space,” said Alex Mackey, digital strategy manager at the University of Kentucky.

A 2017 study from the Anti-Phishing Working Group reported phishing attacks targeted an average of 443 brands per month in the first half of 2017, up from 413 per month during the same period in the previous year. These attacks are a threat to brand trust, as 91 percent of all cyber attacks begin with a phishing email.