70% of UK Universities Victims of Phishing Attacks
70 percent of UK universities that responded to a Freedom of Information (FoI) request have reported that they have fallen victim to a phishing attack in which an individual has been tricked into disclosing personal details via an email purporting to be from a trusted source. Duo Security made the FoI requests to 70 universities across the UK in November 2016, of which 51 responded.
These findings follow a recent warning from the UK’s Fraud and Cybercrime Centre, Action Fraud, of a phishing scam specifically targeting UK university staff. The bogus email claims the recipient is due for a pay increase, then directs them to click on a link and enter financial details and university logins.
The FoI findings also reveal the frequency with which universities are targeted by phishing attacks, with 12 of these universities reporting they had been attacked more than ten times in the past year. Seven of the universities that responded, including those with GCHQ Certified degree courses 1 - Oxford University and Cranfield University - reported they had been struck more than 50 times.
When asked about specific security measures in place for digital devices, operating systems and apps which access the corporate network, only two universities reported they were able to apply patches and upgrades within 48 hours of notification. Four of the universities reported that it typically took longer than 30 days to implement these updates.
Henry Seddon, Vice President of EMEA for Duo Security, comments: “The findings reveal that universities – staff and students – make popular targets for these attacks, which leaves them vulnerable to all kinds of security risks. The challenge is that phishing attacks are increasingly sophisticated – a targeted spear phishing attack can be particularly difficult to spot – but they can ultimately compromise the security of the entire network. They open the doors to hackers, with stolen credentials, to access an organisation’s system virtually undetected, posing as an authorised user. Worryingly, phishing is now the most popular way of delivering ransomware onto an organisation’s network.”
Seddon continues: “Universities need to be vigilant and practice good cyber security hygiene: security updates should be installed as soon as they are available as attacks delivered via phishing campaigns can specifically target out-of-date systems or unpatched software. Education is vital, so keep staff and students updated on the risks that phishing can pose – advising them not to click on any links or attachments that look suspicious.”