As schools and colleges reopen progressively after the academic holiday period, hackers will ramp up BEC and spear-phishing campaigns: study

A cybersecurity firm has evaluated over 3.5 million spear-phishing attacks from June through September 2020 (including attacks against more than 1,000 educational institutions across the globe) and concluded that educational institutions were more than twice as likely to be targeted by a business email compromise (BEC) attacks than an average organization.

More than one in four spear-phishing attacks targeting the education sector was a carefully crafted BEC attack. According to Barracuda researchers, hackers understand that many schools and colleges across the Asia-Pacific region (APAC) continue to work rely heavily on emails for communications, and are therefore vulnerable to spear-phishing.

The data indicated that while cybercriminals targeted organizations evenly throughout the summer months, there was a significant drop-off in spear-phishing attacks against the education sector in July and August when schools were closed for summer break.

These months saw a drop of 10% to 14% below average, with cybercriminals adjusting the types of attacks they used against schools during this time, focusing on email scams, which are less targeted and often sent in large volumes.

Seasonally-aware hackers

The number of attacks picked up substantially in September when students returned to campus for varying periods of time. This included targeted phishing attacks, including impersonations of brands and prominent organizational identities being much more common during the school year, with June and September accounting for almost half of all spear-phishing threats against schools (47% and 48% respectively).

According to the research Gmail accounts were used to launch 86% of all BEC attacks targeting the education sector, using addresses including terms like ‘principal,’ ‘head of department,’ ‘school,’ and ‘president’ to make them look and sound more convincing.

Cybercriminals also used ‘COVID-19’ in subject lines to grab their victim’s attention and create a sense of urgency. Researchers also found that one in four malicious messages detected had been sent from a compromised internal account. This was particularly dangerous given that these messages were sent from a trusted source.

Said Mark Lukie, Senior Engineer Manager, Barracuda, Asia-Pacific: “The research shows that educational institutions across APAC and the globe are being disproportionately targeted by socially-engineered attacks such as impersonation and BEC, as attackers know that these organizations don’t always have the same level of security sophistication as other organizations.”

Lukie recommended that educational institutions prioritize email security—particular the more advanced AI-based solutions—and also review their internal policies regarding training.

“Aside from making sure you have the right technology to stay protected, it’s crucial to ensure that both staffers and students have security awareness training, and know how to recognize and report attacks. This is the first line of defense in keeping the educational institution safe and protected,” Lukie added.