Phishing in education: a hacker’s gateway

Educational institutions often do not have access to the same kinds of deep pockets as private corporations. Why, then, are they such interesting targets for hackers and what can be done to prevent attacks?

Early October, the Belgian Artesis-Plantin group was attacked by hackers who managed to install ransomware on the school’s servers. No less than ten (10!) campuses were affected, many of which were unable to open their doors to students due to the significant damage done to IT infrastructure.

Research suggests that over the past year the number of cyberattacks aimed at educational institutions – including primary and secondary schools, alongside colleges and universities – increased by 24%. More than in any other industry. Furthermore, it is expected that the upsurge in work-from-home and learn-at-home regimes because of COVID-19 measures will drive those numbers further upwards in the final quarter of this year.

Why schools?

“Teachers never get rich.” It is a cliché that goes back a long way. The saying applies to the educational sector as a whole: while there is a lot of money going around in the industry, you will never hear an IT administrator admit he has some unallocated budget. Wealthier private sectors would seem the more logical choice to hackers.

Nevertheless, schools face more and increasingly advanced hacking campaigns year over year. DDoS attacks bringing down networks, phishing emails carrying ransomware and spear phishing attempts trying to gain extremely sensitive data: digital threats flourish.

The explanation is simple: university servers are filled with important research data. If those are lost, an institution risks years’ worth of insights, efforts and investments. Hacked organisations will do whatever they can to retrieve their data, going as far as paying a ransom.

Where colleges are concerned, it is not so much a case of keeping research data for ransom, as it is about breaching the gateway to a gigantic storehouse of (personal) information. The more information a hacker has at his disposal, the easier it becomes to social engineer his way to a successful phishing attack. Colleges possess email addresses, birth data, social security numbers, financial information and more about their students. It is a treasure trove for hackers. If a college or university succumbs to a cyberattack, everyone should be preparing for a phishing campaign.

Everyone is vulnerable

Our analysis always proves that there is not one single, well-defined profile that is particularly vulnerable to phishing attacks. Whether it is a professor, principal, student or administrative personnel… every profile proves to be equally susceptible to our automated email simulations. Genuine phishing attacks will only confirm these results.

During a first test of our platform, (at least) 1 in 5 recipients will take the bait. If we apply that to an educational institution the size of Artesis-Plantin, that means hackers have 3,000 chances of getting in. And once they are in, they are nearly impossible to evict.

Why blame IT?

When an educational institution is faced with ransomware, the IT department often is in the crosshairs. They are in charge of networks, updating systems and keeping malware out. When it eventually does go wrong,  IT is in the doghouse.

It is, of course, an unwarranted knee-jerk reaction. Especially when it comes to phishing, it often suffices to gain access to a low-level standard account without many rights in order to then be able to infect an entire network. From there, hackers can work their way up: if a ‘colleague’ asks for help, only few will refuse.

Furthermore, IT admins have to work with limited budgets. They have to use their restricted funds to eliminate as many threats as possible, while at the same time they are obliged to keep their networks accessible to thousands of different people, each connecting through their own brought-from-home devices. It is a disaster waiting to happen.

Is there a solution?

People are the weakest link in any cybersecurity system. They are curious, love clicking hyperlinks and they prove to be very slow learners. For instance, did you know that someone receiving a security training will take six months at most to forget everything he learned? The only way to secure a sensitive environment such as an educational institution is to train everyone linked to the network, at least once per month – employees as well as students. After all, you can control the devices employees use, while students have to make do with whatever they can bring from home.

That is where Phished comes in. Aided by our automated phishing platform, over 50,000 daily users are already sharpening their anti-phishing skills. Learning how to recognise and deal with every type of phishing in the book.

The Phished platform is available for a free 14 day trial.

Want to know more?

For more information on phishing in education, you can download our free ebook, or contact [email protected]

Contact us

+32 (0)53/31.97.55

3000 Leuven, Belgium

Protect your organisation

Try out our platform for 14 days without any obligation!