Back in November 2016, we filed Freedom of Information (FoI) requests to 70 universities across the U.K. asking questions around each institution’s experiences with phishing. The responses we received indicate that phishing is still a major security challenge – even for top universities.
The FoI Results
Multiple factors make universities a popular target for phishing attacks. They have a large, diverse user base consisting of students, faculty and staff, and they hold the sensitive personal information for these users as well as alumni. In addition, universities are frequently involved in grant funded, innovative research that is valuable to a motivated attacker.
The results of our FoI requests show firsthand the exposure universities have to phishing. Seventy percent of the universities who responded to these requests indicated that they have fallen victim to a phishing attack, with 12 of these universities reporting they had been attacked more than ten times in the past year. Seven of the universities that responded, including those with GCHQ Certified degree courses – Oxford University and Cranfield University – reported they had been struck more than 50 times.
“The findings reveal that universities – staff and students – make popular targets for these attacks, which leaves them vulnerable to all kinds of security risks. ... They open the doors to hackers, with stolen credentials, to access an organisation’s system virtually undetected, posing as an authorised user. Worryingly, phishing is now the most popular way of delivering ransomware onto an organisation’s network.”
– Henry Seddon, Duo Security Vice President of EMEA
One thing is clear from our results: Phishing remains an important security issue affecting universities.
Phishing Affects Everyone
Universities aren’t alone. It’s important to remember that, while these results are focused on the education space, phishing affects everyone. The most recent data from our free phishing simulation tool, Duo Insight, shows that on average, 13% of users will fall victim to phishing attacks, with 61% of the campaigns resulting in at least one user attempting to submit credentials to our fake phishing page.
And stolen credentials are only one side of the phishing story. Malware is commonly delivered by exploit kits, which use known vulnerabilities to exploit out-of-date devices. With just the click of a link in a phishing email, these exploit kits can compromise a user's device. In our simulated campaigns, on average 25% of users clicked these links. That’s why it’s important to not only keep your devices up-to-date, but to also have visibility into the devices accessing your critical applications.
How to Protect Yourself and Your Organization from Phishing
Phishing protection requires a defense-in-depth strategy. There are multiple mitigating factors you can put in place at each layer of the attack chain to help prevent users from falling victim to a phishing email, including:
Leverage 2FA For Critical Applications - Phishing attacks regularly aim to steal credentials from users which are then used by attackers to access applications. Enforcing 2FA ensures that stolen credentials can’t be used by attackers to access your applications.
Keep Devices Up-To-Date - As mentioned earlier, credentials are only part of the phishing threat. Knowing which devices are accessing your applications and ensuring these devices are up-to-date is critical to protecting against exploit kits which are used in phishing as well as other attacks such as malvertising.
Measure Your Exposure to Phishing - You can’t take action on what you can’t measure. We recommend regularly leveraging our free phishing simulation tool, Duo Insight, to measure your organization’s exposure to phishing. Plus, in our blog we offer recommendations to get more value out of your Duo Insight results and decrease your overall exposure to phishing.
These tips are basic measures you can take to significantly mitigate the effectiveness of phishing attacks. For a more comprehensive view on how these attacks are executed and measures to prevent them, check out our free guide, The Trouble With Phishing.
In this guide, you’ll get:
- the latest phishing statistics by industry
- a breakdown of how phishing works
- the anatomy of a phishing attack
Phishing attacks aren’t going away anytime soon. 2016 was a record-breaking year for the number of unique phishing sites seen, and as our results show, these attacks continue to be effective. But by implementing the basic security hygiene measures covered here, you'll make great strides toward mitigating phishing for your organization, giving both security and peace of mind.