The back-to-school season is a great time for shopping, but it also happens to be a great time for hackers to attempt a phishing scam.
In recent years, phishing attacks on K–12 schools and higher education institutions have been on the rise. While schools should always be prepared to fend off an attack, the threats are often seasonal.
“This is a great time to go after overloaded staff because they just don’t have time,” says Asaf Cidon, vice president of content security services at Barracuda.
During the fall semester, staff and students are bombarded with an abundance of emails from new people, and busy university IT teams are not on the lookout for those kinds of attacks, he says.
Be Aware of Seasonal Cyberthreats
In addition to the back-to-school season, Cidon says tax season and the holidays are also prime time for scammers. During tax season, scammers send targeted emails to payroll and human resources departments requesting W-2 forms.
Cidon says end users are vulnerable during the holiday season largely because they are accessing emails on mobile devices and paying less attention to what they are clicking.
Some universities have crafted warnings for these specific seasons, which help to keep awareness of phishing scams top of mind for their students and staff.
Best Practices for Stopping Phishing
Even with these seasonal attacks on the rise, Cidon says that IT teams should have a battle plan in place at all times to keep users informed and networks secure.
“When we look at what to do to tackle these problems, we look at two areas: the machine and the human aspect,” says Cidon. “The machines should always be running, they don’t sleep. On the human side, it’s not a bad idea to provide specialized training during the beginning of the school year.”
According to Cidon, the most effective end-user training is a simulation of an attack with staff who have access to sensitive information. Using examples of attacks at other universities, IT can mock up phishing emails to see which scams trick staff and students, says Cidon.
Generally speaking, there are certain aspects of a phishing or spear-phishing email that users should look out for. To help users identify a scam, a lot of universities distribute lists of the information they wouldn’t ask for in an email.
For example, Florida State University advises students and staff to be wary of emails that:
- Ask for login credentials
- Threaten to suspend an account or service
- Notify you of a virus
- Tell you to click a link to solve an issue
However, Cidon says the best defense against phishing is to prevent malicious emails from reaching inboxes in the first place, which is where machines come in. He recommends that colleges use a filtering system that recognizes when someone is trying to use university credentials from outside of where the university is located.
Cidon also recommends that universities employ two-factor authentication to keep accounts secure even if credentials are compromised.
“If someone does get in, it’s another moat around the castle,” he says.