Higher education institutions have long been aware that cybercriminals target their faculty, staff and students through phishing attacks. Recently, the problem has gotten worse: The FBI issued a warning that as of January 2022, Russian criminal forums were offering for sale or giving away credentials and VPN access to many U.S.-based colleges and universities.
Criminals use stolen credentials for multiple purposes, often for access to intellectual property or prepublication technical writing. They may target staff, stealing credentials to gain access to financial systems. Individuals may be targeted in an attempt to drain their bank accounts, steal their credit card information or conduct fraudulent transactions. And because people reuse their credentials, stolen passwords can be used for brute-force credential-stuffing attacks across affiliated organizations.
One of the most concerning issues for higher education is that phishing scams have moved beyond the traditional email-based approach and now utilize other channels such as social media, phone calls, voicemail, text messages and more.
Click the banner below to receive exclusive content about cybersecurity in higher ed.
How Phishing Attacks Work, and Why They Succeed
Phishing attacks are wildly successful: 91 percent of all cyber breaches include phishing, according to Deloitte. Traditional phishing involves sending an email that looks legitimate, purporting to come from the institution or a friend or colleague. The email may have an embedded credential harvester or a link to a .edu domain that is actually a clone of the legitimate web page where users enter their credentials.
With the advent of remote working and learning, cybercriminals are increasingly using multichannel phishing to evade email security and exploiting the use of text messages and collaboration tools such as Slack, Zoom, Microsoft Teams and other channels that are less protected. Mobile devices are an attractive target because they are less secure, their content may be truncated, and users are often distracted as they multitask.
For example, the cybercriminal may send a WhatsApp message with an invitation to a Teams meeting. When the user enters credentials on the cloned website, the criminal can take over the account and deliver additional attacks via Amazon Web Services and Microsoft Azure, Outlook and SharePoint.
What Do Vishing and Smishing Mean?
Vishing and smishing attacks are increasingly popular vehicles for multichannel phishing attacks.
Vishing attacks involve phone calls or voicemails from someone claiming to be from the target’s bank, the target’s employer, the IRS or law enforcement. Targets are notified that their computer is infected, their password has expired or there is suspected fraud; to fix the problem, they must share personal information. Because scammers can place multiple calls at once using VoIP and can spoof the caller ID to make the call look legitimate, it’s easy to fool people.
91%
The percentage of all cybersecurity breaches that begin with phishing
Source: deloitte.com, “91% of all cyber attacks begin with a phishing email to an unexpected victim,” Jan. 9, 2020
Smishing attacks rely on the fact that people trust text messages more than email. For example: An SMS message comes from what looks like the target’s bank with a fraud alert notice. The target opens the message and clicks on an embedded link to verify recent credit card purchases. The link in the message leads to a spoofed site where the target enters credentials, a Social Security number or other sensitive data.
How a Cyber-Readiness Plan Can Prevent Multichannel Attacks
University IT teams can help prevent multichannel phishing attacks through a cyber-readiness plan that focuses heavily on user education about risks. Training in how to identify social engineering tactics and suspicious communications via email, SMS, voice, web and other channels should include advice on indicators of fraudulent communication: It comes from unexpected sources, involves a sense of urgency and demands personal information.
Security tools that use artificial intelligence can detect and block malicious threats across multiple channels. They can identify phishing sites and spoofed URLs as soon as those sites are created — an important capability because attackers bring up and take down such sites frequently. Requiring strong passwords, establishing lockout rules for multiple failed login attempts, and the use of multifactor authentication are also important activities.
Despite increased vigilance by both institutions and users, phishers will sometimes get through. When that happens, the best defense is preparation: Segment the network to reduce the impact of a successful attack. Update and patch systems. Maintain an up-to-date incident response plan.
Security is complex, and keeping people safe requires constant monitoring, strong user education, systematic preparedness and the ability to quickly adapt to a changing threat landscape. As phishing moves to a multichannel approach, universities and colleges must act nimbly to protect institutions and their users.
WATCH NEXT: A cybersecurity training people actually want to attend.