Nearly all of the top 10 universities in the U.S., U.K. and Australia proactively blocked attackers from spoofing their email domains, according to Proofpoint researchers. Pictured: Cyclists ride by Hoover Tower on the Stanford University campus on March 12, 2019, in Stanford, Calif. (Photo by Justin Sullivan/Getty Images)

Proofpoint on Tuesday reported that some 97% of the top 10 universities across the United States, the United Kingdom and Australia are not taking appropriate measures to proactively block attackers from spoofing their email domains, increasing the risk of email fraud.

The Proofpoint researchers found that universities in the United States are most at risk with the poorest levels of email protection, followed by the United Kingdom and Australia. 

“Email remains the most common vector for security compromises across all industries,” said Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint. “In recent years, the frequency, sophistication, and cost of cyberattacks against universities has increased. It’s the combination of these factors that make it especially concerning that the premier universities in the U.S. are currently the most vulnerable to attack.”

Proofpoint’s findings are based on Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of the top 10 universities in each country. Here are some of the leading points made by the study:

  • None of the top U.S. and U.K. universities had a reject policy in place, which actively blocks fraudulent emails from reaching their intended targets, meaning that all are leaving students open to email fraud.
  • Five of the top 10 U.S. universities do not publish any level of DMARC record.
  • 65% of the top U.S. and U.K. universities had a base level of DMARC protection (monitor and quarantine) in place.
  • 17 (57%) of all surveyed universities implemented a monitor policy, while only four (13%) of the 30 universities implemented a quarantine policy.

Domain spoofing, and its cousin typo-squatting, are the lowest hanging fruit for cybercriminals, said John Bambenek, principal threat hunter at Netenrich. Bambenek said if bad actors can get people to click on emails because it looks like its coming from the victim's own university, they get a higher click-through rate and by extension, more fraud losses, stolen credentials, and successful cybercrime. In recent years, attackers have been stealing students financial aid refunds.

“So, why don't more organizations implement DMARC,” asked Bambenek. “Universities don’t pay particularly well, so part of it is a knowledge gap. There’s also a culture in many universities against implementing any policies that could impede research. When I worked at a university 15 years ago, there were knock-down, drag-out fights against mandatory anti-virus on workstations. The biggest challenges to universities is low funding of security teams (if they have one) and low funding of IT teams in general. There’s also the perception that they aren’t an attractive target for cybercriminals, or that attacks against students just aren’t really an institutional concern.”

Chloé Messdaghi, chief impact officer at Cybrary, added that one of the main reasons this keeps occurring is because universities don’t sufficiently invest in security or their security teams. Messdaghi said higher learning, as a sector, often just operates in reactive mode, not proactive when it comes to security approaches and ongoing security team training.

“This is tremendously short-sighted,” Messdaghi said. “They need to educate and invest in the team. Lack of caring puts kids and the institution in danger. Let’s face it. College and university students pay lots of money for their education, and students, donors, alumni, and the institution’s people all deserve better protection.”