Many universities could be at risk of easy phishing attacks

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

Barely any of the UK’s top universities are protected against being abused in phishing and spoofing attack, new research has claimed.

A report from email security provider EasyDMARC reviewed the security policies of all of the main email domains used by the top 100 UK universities, finding less than a fifth (19%) of the .ac.uk domains having correctly implemented and configured security policies to flag, report, and remove outbound phishing emails. 

While almost all domains (88%) have implemented the DMARC standard for automatic flagging and removal of receiving fraudulent emails (Domain-based Message Authentication, Reporting, and Conformance), the tools are mostly under-utilized, the report further claimed.

In it for the money

Of the university domains implementing DMARC (88), 59 had their policies set to monitor outgoing emails impersonating legitimate domains. Another 25 were quarantining such emails, while 20 institutions (19% in total) set their DMARC to automatically reject site emails impersonating their domains.

The report’s conclusion is that many DMARC implementations among UK top 100 .ac.uk domains are leaving users exposed to phishing emails. “This creates a substantial risk of ransomware attacks, fraud, and data breaches,” it was said in the report.

Gerasim Hovhannisyan, EasyDMARC CEO and co-founder, found the findings “concerning”, stating: “With many organizations moving to cloud-based email ecosystems, it’s likely that many educational institutions are finding it difficult to find a way to implement DMARC that can operate seamlessly alongside their SaaS solution stack,” he said. “For vendors and service providers to educational institutions, these findings should be a wake-up call regarding the massive security gap that needs to be filled with cloud-native DMARC solutions.”

Due to its ease of use, low cost, and omnipresence in the business realm, email remains the number one attack vector for most cybercriminals. While common sense and endpoint protection eliminate most of the risk, security policies still play a vital role.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.