There was another news article about universities that became the targets of a phishing attack. Unfortunately, it wasn’t a very big headline since it is all too common for a university to be targeted. An article from bleepingcomputer.com stated that a group of hackers continue to primarily target universities using a variety of phishing techniques. In addition, a source at the University of Pennsylvania told us that they receive warnings about new phishing attacks 1-2 times every week! That’s a lot of phish to avoid!
We started wondering how our universities are dealing with the onslaught of malicious spam. According to one recent article, Duke’s best plan is for students and faculty to send in reports to warn other students and faculty whenever they spot a phish. That’s how U Penn handles phishing threats too. While the community is a great way to get the word out, it is often too little too late for many people who become victims of known phishing attacks. If a phish can make it to the inbox, it has a pretty go chance of being opened.
There is a way to prevent spoofed messages before it reaches the inbox- DMARC! How many of our top universities are using email authentication to protect their students and faculty from spoofed messages? We took a look…
Email Authentication and US Universities (A summary of findings)
Out of the top 10 universities (as ranked by US News),
- only 3 are using DMARC- 70% have absolutely no DMARC protection from spoofed messages. They are sitting ducks!
- The 3 that are using DMARC are only using DMARC monitoring (they are not protected!)
Out of the top 10 schools,
- 2 records do not have an SPF policy at all,
- 4 records have overly permissive policies that won’t limit their senders,
- 4 records are very close to the lookup limit, and
- 3 records look alright (nice job Columbia, U Penn, and MIT)
- 9 out of 10 have failing scores. The last one has a D- …
Fraudmarc can help
When 9 out of 10 of America’s top schools are failing email security, and the highest score ins a D-, something has gone wrong. At Fraudmarc, we want to end email spoofing for good! That’s why we have numerous tools and services to help organizations implement and maintain complicated email authentication protocols. We offer a variety of plans to ensure we have the right fit for each organization’s unique email security needs. We also have an open source version of our DMARC reporting, Fraudmarc CE, for the technically inclined who prefer to host their own DMARC reports. Our services provide tools that make editing and maintaining SPF, DKIM, and DMARC policies easy and intuitive.