Have you ever looked at a phishing email and wondered, how could anyone possibly fall prey to that? Although your students and employees may be less susceptible than others, hackers are evolving in their sophistication, creativity, and maliciousness by the day. What previously seemed overly opportunistic is now becoming increasingly lucrative, and as we’ve recently learned, fraudsters are targeting the higher education space. Let’s investigate how phishing has made its way on campus in the past and strategize how we can work together to protect your university going forward.
Size of the prize
Besides for being able to serve a campus full of students and employees who check email religiously, cybercriminals know the merits of infiltrating a higher education network. By obtaining bank accounts, social security numbers, addresses, and other personal information from unknowing students and employees, they can socially engineer their way to immense profits by unlocking payment cards or piecing together personal data on the dark web.
The devil is in the detail
One recently discovered phishing scheme attempted to target a Florida community college by leveraging a fake active shooter alert. As KnowBe4 CEO Stu Sjouwerman noted, by exploiting current concerns over active shooters on campus, the attack hinged on generating “panicked, reflexive clicks from recipients who [were] already on edge over the recent shooting at Marjory Stoneman Douglas High School — also in Florida”. Remember, all it takes is a few clicks before a phish can collect sensitive information.
A Canadian University is still trying to recover its losses after discovering that it was defrauded $11.8M in August 2017. The staff received fake emails from a fraudster posing as a vendor and requesting a change in banking information. Only when the actual vendor company called the university asking for payment did the staff realize the breach, but it was too little, too late. Although $11.4M was traced to accounts in Montreal and Hong Kong, the remainder is still missing.
Some schemes work in tandem, targeting both students and employees. According to a PSA from the FBI just a few years ago, phishers are now enticing students by offering them pseudo work-from-home job opportunities. After coaxing them into providing bank information “under the guise of a direct deposit”, scammers redirect employee payroll deposits to the student’s account. Then, they ask the student to wire back a portion of the deposit as a refund, effectively turning the unaware student into an accomplice to fraud.
The other end of the double-edged phish notifies university employees of a change to their human resource status. Once employees click the email link and enter their logins into a fake page, their information is stolen and paychecks are rerouted.
Drop in the ocean
Now you’re wondering how your university can protect its students and employees from being reeled in by phishing. Instead of overwhelming you with myriads of solutions, we’ve categorized them into general buckets and brainstormed some solutions:
Top-of-the-funnel- install advanced spam filtering solutions that includes anti-phishing capabilities
Bottom-of-the-funnel- consider a web filtering program that can block end users from opening phishy websites
Ongoing- establish a training program for students and employees during orientation
However, any of these alone is not enough. Drawing the analogy between phishing and fishing, simply placing a “do not fish here” sign near your local lake isn’t enough to stop everyone. By adding controls at all touchpoints, you can stop phishing from pervading across your campus.
The best part is, you don’t have to go at it alone. Partner with Arrow Payments, the team on your team. We’ll do all the heavy lifting to help protect your student’s, customer’s and donor’s credit card payment information. Then if you do suffer a phishing attack, at least you don’t have to worry about it resulting in the fines, losses and reputational damage of a credit card data breach.
What are you waiting for? Set up 30 minutes to learn more today: