Data at risk in elite Australian schools: study

More than 85,000 private school students and staff in Australia are vulnerable to email-based phishing attacks, according to new analysis.

Proofpoint’s analysis of domain-based message authentication, reporting and conformance (DMARC) adoption amongst Australia’s 100 largest independent schools (by enrolment size) found that 42% lack the most basic email protection.

These schools fail to take appropriate measures to proactively block attackers from spoofing their email domains, substantially increasing the risk of email fraud. The analysis arrives on the heels of Proofpoint’s recent State of the Phish 2023 report, which found that nine in 10 Australian organisations experienced at least one successful email-based phishing attack in 2022, with almost half (48%) reporting direct financial losses.

“No matter their size or number of students enrolled, schools remain an attractive target for scammers due to the large and diverse amount of data they store,” said Steve Moros, senior director, advanced technology group, Asia Pacific and Japan, Proofpoint.

“From sensitive information such as addresses, contact details, medical records, bank and credit card information to employee information such as tax file numbers, cybercriminals will stop at nothing to obtain all data withheld inside a school system.”

Cybercriminals also see schools as being easy targets due to their lack of cyber specialists and the high probability that students will fall for phishing scams. Cybercriminals exploit this well-known fact to extract personal information from students and staff by using luring techniques and disguising emails as messages from the school IT department or administration, often directing users to fake landing pages to harvest credentials. Email authentication protocols like DMARC are the best way to prevent email fraud and protect students, faculty and alumni from malicious attacks.

“As keepers of vast amounts of sensitive and critical data, schools across Australia must ensure that they have the strictest level of DMARC protocol in place to protect students and faculty within their networks,” Moros said.

“It’s incredibly concerning to see that only nine out of the 100 schools analysed are protected from being impersonated by cybercriminals, especially following one of the biggest years for scams and data breaches in the nation’s history. Only when these schools start shoring up their cybersecurity defences will they ensure that malicious emails can’t compromise their data.”

Organisations using a DMARC protocol can implement three levels of policy for unqualified emails attempting to spoof their domains:

1. Monitor (allows unqualified emails to go to the recipient's inbox or other folders).
2. Quarantine (directs unqualified emails to go to the junk or spam folder).
3. Reject (highest level of protection — blocks unqualified emails from getting to the recipient).

Students, staff and other stakeholders should follow the below best practice for greater security:

• Check the validity of all email communication and be aware of potentially fraudulent emails impersonating education bodies.
• Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked.
• Follow best practices when it comes to password hygiene, including using strong passwords, changing them frequently and never re-using them across multiple accounts.
   

Image credit: iStock.com/ninitta