Most colleges and universities are at risk for phishing attacks, according to a study by 250ok.
The company analyzed almost 6,000 higher-education domains in the U.S., EU and Canada, and
found that almost 90% are putting their students at risk of attacks that spoof the schools’ domains.
That is because they are failing to employ Domain Message Authentication Reporting
And Confirmation (DMARC) and to publish a Sender Policy Framework (SPF).
U.S. institutions are the most protective, but still are only marginally better than counterparts in other countries.
Domains controlled by U.S. schools index 11.2% in their DMARC adoption, compared with 9.72% for Canadian institutions and 8.6% for European.
“The recent Iranian cyber attack on more than
8,000 professors worldwide should cause all higher ed institutions pause,” states Matthew Vernhout, director of privacy at 250ok.
He adds: “Since the US Department of Homeland
Security issued a directive for all federal agencies to achieve a DMARC Reject Policy on all domains, we anticipate downward pressure on colleges and universities in 2018.”
In a separate
phishing-related development, CareFirst, an independent BlueCross BlueShield licensee, reported has been hit by a phishing attack, hitting a possible 6,800 CareFirst members.
It started when
an employee was sent an email that compromised the person’s account. This was used to send spam emails to individuals not associated with CareFirst.
In the process, personal data was
exposed on CareFirst members, including names, member identification numbers, date of birth, and in eight instances, Social Security numbers. But no medical or financial data was revealed, the firm
says.
CareFirst reports that no malware was found in the spam.
The firm discovered the breach on March 12.