We explore the complex threat posed by spoof emails and some of the strategies institutions use to counter it.
Given that more than 70% of people would give their passwords away for a bar of chocolate, as the BBC revealed a few years ago, it’s perhaps not surprising that the promise of free money – unclaimed grants, tax rebates, exorbitantly well-paid work – is enough to entice students into revealing personal information, sharing passwords and bank details, and even risking jail for money laundering.
The threat to UK universities from phishing emails is more potent and complex than ever before. Student Finance England’s Counter Fraud and Security teams estimate they have prevented the theft of over £1.5m in maintenance payments through scams aimed primarily at freshers over the last three Septembers alone, but security firm McAfee still caution in their most recent quarterly report that, for every ten emails sent by fraudsters, at least one will be successful.
Indeed, the BBC and Money Saving Expert warned of a new scam just before fresher’s week this academic year, which defrauded a Queen Mary University of London (QMUL) student of £300. The email appeared genuine, even down to the logo of the university’s finance department, and invited students to click on a link to claim a government bursary. Instead, the link transferred students to an online form which asked them to enter personal and bank details before taking them to a bank verification page, by which point fraudsters had already retrieved sensitive information.
The sophistication of this latest attack highlights the rapidly evolving and elusive nature of the threat posed by phishing. Some attempts are easy to identify – they begin with a generic form of address, contain significant errors in spelling, grammar or punctuation and may come from unexpected email addresses.
Others – commonly known as ‘spear phishing’ – look as if they come from an expected or reputable source, such as university IT helpdesks or financial organisations, and apply considerable pressure on recipients, warning students that their account has been hacked, or they need to verify login details, or their loan payment has been delayed, and offering a short timeframe to respond.
Recognising these scams can require as careful an approach as hovering over an embedded link to find that a website URL has been changed from 'bankofabc.com' to 'bancofabc.com'.
Social media adds another tier of intricacy: it is far harder to spot fake links when they are disguised using bit.ly or tinyurl. Spear phishing campaigns are increasingly methodical and systematic in their approach.
"Ten years ago phishing was very basic," says Austin Chamberlain, senior information security officer at University College London (UCL). "Now big organised crime groups are doing it as an industry and making hundreds of millions of dollars a year, with professional programmers working on this. It is a huge criminal industry."
He estimates that of the two to three million emails UCL receives each day, 90% is spam. The worst phishing scam he has seen occurred recently over the August bank holiday weekend, shortly before online registration for returning students, when an email was sent to UCL students from an academic address, offering a UCL-specific grant. "Six to seven UCL students were expecting to receive grant information from UCL," he reveals, "and at least one was financially hit."
While attacks targeting a particular subset of users are hardest to identify, comprehensive attacks on the entire student body pose their own challenges.
UCL outsources the bulk of its immediate threat management to Microsoft, and Chamberlain explains that, while UCL could manage its own content-filtering – scanning emails to filter them out if they contain nothing but a link to a domain – it is in traffic analysis that Microsoft has helped oversee what he characterises as a ‘slight improvement’.
"Microsoft are such a large organisation they get a much bigger threat picture, with a very good picture of mailflow around the world. They can assess how emails are being sent, is it in bulk, and if it looks suspicious, drop it".
Education, education, education?
For most universities, ongoing threat management relies upon education to raise awareness and prevent the phishing spam getting through in the first place: updating Twitter feeds, sending email alerts, promoting awareness training and online guidelines. But such arrangements require students to actively seek out information – and so-called digital natives are surprisingly blasé about the risks of online security.
A survey conducted by Computer Weekly in March 2016 found that while 77% of the 406 students asked recognise cyber security as a growing threat, only 35% think it is their responsibility to learn about it, and fewer than 20% say they are concerned. In particular, they found that 48% of students said they would attend university seminars on online security, but 57% then admitted that after arriving on campus they failed to find out about their university’s existing security policies.
Watch the University of Sheffield's video on the dangers of phishing.
Counterintuitively therefore, despite the increasing complexity of the phishing threat, the most effective response involves simplicity and repetition. Bob Booth, IT communication manager at the University of Sheffield who commissioned and scripted a short video on the subject three years ago, explains that phishing is "an important, but not very interesting subject" that's "also difficult to explain as there are so many variants".
Sheffield found that raising awareness about each specific threat meant that each time the message was slightly different and so there was little cumulative benefit over time. Booth explains they came to see that the "one strong defence against these kinds of attacks are clear, consistent safety advice messages that will catch people's attention and be memorable".
The video was a strategic response to a growing problem designed "so that we could use the same video to raise awareness of many different threats and keep messages consistent", and a link to it is included in every response to a phishing attempt and all general security correspondence with students.
Students, however, are not the only potential victims of phishing scams at HE institutions. At UCL, Chamberlain says, "we see staff as a bigger risk, partly because they have access to more information, including student information". Chamberlain cites an instance where a senior member of staff apparently sent an email to their PA requesting payment for a specific research purpose, only for the scam to be revealed days later when the PA requested further information.
The particular vulnerability he identifies is in HE’s collaborative ethos: "people expect to receive messages from outside the university as part of their day-to-day jobs, often unsolicited and with attachments, and this leaves many departments very exposed", particularly to system reconfiguration attacks and ransomware.
Research by Zinaida Benenson, head of the Human Factors in Security and Privacy Group at the University of Erlangen-Nuremberg, has found that "by a careful design and timing of the message, it should be possible to make virtually any person to click on a link", especially if it appeals to ‘(usually reliable) decision heuristics such as 'this message fits my current expectations' or 'I know the sender'" – staff opening emails and attachments labelled ‘Proposal’, ‘Abstract’ or ‘Invoice’, for example.
"Expecting error-free decision making from users under these circumstances seems to be highly unrealistic, even if they are provided with effective awareness training," she explains. It makes them either inefficient at their jobs, or inclined to disregard education attempts as counter-productive. Benenson concludes that it cannot constitute the only line of defence against phishing, for "more research is needed to determine the feasible level of defence that non-expert users are able to achieve through security education and training".
Frances Burton, Jisc’s lead security liaison, maintains that while ‘the specific targeting of key personnel is becoming more prevalent in these attacks’, nevertheless ‘educating users has shown to be effective in reducing an organisation’s risk from staff falling victim to a phishing email’. New staff at UCL have, for the last 18 months, attended a mandatory security training course, but existing staff members prove more recalcitrant and as Benenson’s research suggests, education alone cannot suffice.
Chamberlain says that UCL are, as a result, considering a controversial simulated phishing exercise, sending out an imitation phishing email to staff and monitoring the response. "It’s not about being aggressive or blaming people", Chamberlain stresses, simply that given "the amount of phishing we’ve experienced we think that something more drastic has to happen".
And it's not just HE - while the threat currently seems most potent for higher education institutions, further education colleges were warned in 2014 that fraudsters were beginning to target staff in the sector, pretending in that instance to be the Skills Funding Agency.
For both students and staff, the challenge is how to convey key information about new attack methodologies in a rapidly mutating threat landscape without incurring user fatigue.
"People are becoming more aware", concludes Chamberlain, but "the attackers are becoming very savvy and their tools are getting better. All we can do is tell people to think again, think twice when you get an email with an attachment, or requesting bank details, or asking that you send money somewhere - just double check, maybe make a phone call and confirm it with the purported sender."