The top 20 universities based in the U.S. are failing to implement proper DMARC protections and policies, opening the door for fraudsters to spoof their email domains and convincingly impersonate them at a time when students are likely expecting to receive a wealth digital communications related to back-to-school instructions, researchers warn.

In particular, students and faculty members may be looking out for important updates regarding how educational institutions will handle the challenges of Covid-19.

“Over the course of the pandemic, we’ve seen hackers capitalize on opportune moments in their phishing attacks,” Tim Sadler, CEO and co-founder of Tessian, told SC Media. “Now, as schools communicate their back-to-school plans and the safety measures they’re taking to make students feel comfortable returning to campus, it’s likely that hackers will take advantage of this moment too. With students and staff eagerly anticipating news and updates, the influx of communications offers a ripe opportunity for hackers to launch phishing attacks impersonating university administrators, professors or even fellow students.”

In a blog post this week, security firm Tessian asserts that 40 percent of the top 20 U.S. universities are not using DMARC (Domain-based Message Authentication, Reporting & Conformance) records at all. The remaining 60 percent have implemented DMARC, but have not set up policies to ‘quarantine’ or ‘reject’ any emails from unauthorized senders using its domains.

The DMARC protocol works by authenticating an email sender’s identity using DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards. DMARC users also set a policy for what should happen to emails that don’t pass the validation. “Reject” is the strongest setting, which blocks suspicious emails, or users can instead request “quarantine,” which sends dubious message into a spam or junk mailbox. (“None” is the third option, which results in no action taken.)

“The problem is that without DMARC records in place, or without having DMARC policies set up to ‘reject’, hackers can easily impersonate a university’s email domain in phishing campaigns, convincing their targets that they are opening a legitimate email from a fellow student, professor or administrator at their university,” said Sadler.

Emails with spoofed domains could easily lure students or employees of a university to a phishing website designed to steal credentials or trick victims into giving away financial information.

Therefore, “If you receive an email from your university asking for urgent action, it’s important to question the legitimacy of the request and if you’re not sure, contact the university directly to verify,” said Sadler.

“Nothing is perfect, and DMARC has its edge cases, but it is staggeringly effective. This is why it’s recommended by industry organizations such as M3AAWG, as well as government organizations such as the FTC and DHS,” said Seth Blank, M3AAWG technical committee co-chair and VP of standards and new technologies, Valimail, in an email interview with SC Media.

“Even in pure monitoring mode (p=none), while you don’t get security, you do get intelligence about who is sending email ‘as you,’ including legitimate senders as well as unauthorized or malicious ones,” Blank continued. “Of course, it’s best to move to enforcement (a “reject” or “quarantine” policy) as soon as practically possible, and to combine DMARC with other phishing defenses. This is how you get defense in depth and comprehensive protection.”

A spokesperson for Tessian confirmed that the company conducted its research at the end of June, using a free domain checker tool from dmarcian. She would not reference the universities by name or the methodology used to identify the top 20, but she said the final count was “based on legitimate lists of the top U.S. universities.”

Sadler noted that even DMARC protection still won’t stop malicious actors from using lookalike domains that don’t directly spoof a legitimate sender’s domain, but at a quick glance still might look authentic. “Furthermore, DMARC records are inherently public, and an attacker can use this information to select their targets and attack methods, simply by identifying organizations without an effective DMARC record,” he added.

For this reason, Sadler is encouraging colleges and universities to “build robust security measures that can protect their staff and students against email scams.” This could include not just DMARC, but multi-factor authentication and security awareness training.