Timely and Personalized Emails Lower Users’ Defenses
“Higher education is a treasure trove of sensitive data,” says John Ramsey, CISO for the National Student Clearinghouse. “Higher ed encompasses the scope of almost every sensitive data type that exists, ranging from students’ personally identifiable information to HIPPA for the medical universities to intellectual property for the institutions heavily invested in research.”
That makes universities a high-value target for phishing scams.
At Cedarville University in Ohio, Associate Professor of IT Management Phoebe Tsai has witnessed the risk firsthand. This summer she received an email from a bogus website that appeared to be affiliated with the university bookstore.
“The email was completely personalized and listed the three courses that I was going to teach in this semester,” she says. “It asked me to share the links with my students so they could have easy access to the textbooks for the new semester. I did not click on the links or share them only because I was too busy at that moment. If the official university bookstore had not blown the whistle, I would not have realized that the email was illegitimate. The attacker picked the time when professors were intensively thinking about syllabi, students and textbooks. They almost got me.”
Counteract Phishing Attempts with These 6 Strategies
Despite the challenges, a few basic steps can help higher education leaders significantly reduce the risk of a successful phishing exploit.
- Remove Formatting: Indiana University officials instruct students and faculty to read email in plain text rather than HTML format. This removes potentially toxic clickable images and limits an attacker’s ability to take advantage of the mail client in order to execute code. For those do read mail in HTML, the university’s IT experts recommend hovering the mouse over the links in each email message to display the actual URL. Users can also look for a digital signature that helps ensure the message actually came from the sender.
- Make It Personal: “For the end user, there is no perceived consequence to getting this wrong,” says Alex Grohmann, a director on the Information Systems Security Association international board. To convince employees of the urgency of phishing prevention, IT must make it personal. “This is not just about the company or the institution being at risk,” he says. “These practices protect them as individuals. This is something that could happen to them personally. They can be compromised at home, and there’s no IT department to ride in and save you. When they understand there can be personal consequences in this, they will be more likely to use good hygiene.”
- Set Effective Limits: Email filtering tools can help prevent phishing; for example, by rejecting messages that contain suspicious links. But there’s a down side. “You can only ratchet up those tools to a certain level before you start to impact business operations, before you start blocking legitimate emails that maybe are time sensitive,” Grohmann says. “So you have to do an ongoing balancing act. If you are doing business with a particular vendor or partner, for instance, you can have the IT department set up a secure mailbox so those messages get through. It takes time and effort but it may be necessary in order to set effective limits that don’t interrupt your operations.”
- Assume the Worst: Despite all preventive measures, there’s a good chance some phishing act will succeed. With this in mind, it makes sense to organize systems around the principle of damage control, with role-based controls and network architecture all geared toward limiting an intruder’s access. “Machines should be isolated in their own networks. People should have the least amount of access needed to do their jobs,” says Shane Chagpar, a solution designer and instructor with IT consultancy Kepner-Tregoe. “The person in marketing shouldn’t be able to view and edit reports from the financial side. Or they should only be able to view certain reports. You have to be granular in how you grant access.”
- Make Training Realistic: Anti-phishing awareness doesn’t come from a PowerPoint deck. It comes from hands-on, realistic exercises. “You might have a Bed Bath & Beyond coupon that looks very real. Or you put things in the email that make people mad: Click here to see pictures of your spouse with someone else,” says Bruce Beam, CIO of (ISC)2, a nonprofit membership association of certified cybersecurity professionals. “On Valentine’s Day: We’re trying to deliver flowers, click here to confirm your address. If people are going to learn, the training has to be realistic. It has to be convincing.”
- Be a Better Organization: Phishing schemes are psychological in approach: The scammers know that people who are stressed, hurried or under pressure are more likely to respond to an urgent-sounding message. One key way to stop the clicks is to build a friendlier, less harried workplace. “Pressure and stresses lead to people clicking on emails,” says Daniel Norman, a research analyst with the Information Security Forum. “So if you can reduce the stress and reduce the pressure, if you can create a more positive work environment, that is actually going to reduce the likelihood of people clicking on phishing emails.”