• by Ray Schultz , April 2, 2018

Most colleges and universities are at risk for phishing attacks, according to a study by 250ok.

The company analyzed almost 6,000 higher-education domains in the U.S., EU and Canada, and found that almost 90% are putting their students at risk of attacks that spoof the schools’ domains.

That is because they are failing to employ Domain Message Authentication Reporting And Confirmation (DMARC) and to publish a Sender Policy Framework (SPF).

U.S. institutions are the most protective, but still are only marginally better than counterparts in other countries. Domains controlled by U.S. schools index 11.2% in their DMARC adoption, compared with 9.72% for Canadian institutions and 8.6% for European.

“The recent Iranian cyber attack on more than 8,000 professors worldwide should cause all higher ed institutions pause,” states Matthew Vernhout, director of privacy at 250ok.

He adds: “Since the US Department of Homeland Security issued a directive for all federal agencies to achieve a DMARC Reject Policy on all domains, we anticipate downward pressure on colleges and universities in 2018.”

In a separate phishing-related development, CareFirst, an independent BlueCross BlueShield licensee, reported has been hit by a phishing attack, hitting a possible 6,800 CareFirst members.

It started when an employee was sent an email that compromised the person’s account. This was used to send spam emails to individuals not associated with CareFirst.

In the process, personal data was exposed on CareFirst members, including names, member identification numbers, date of birth, and in eight instances, Social Security numbers. But no medical or financial data was revealed, the firm says.

CareFirst reports that no malware was found in the spam.

The firm discovered the breach on March 12.