Absolutely they are!

The Cyber Breaches 2022 Survey Education Annex has some brilliant insights into what educational institutions are currently facing in terms of cybercrime and as in previous years, phishing is the top detected cyber attack and it’s easy to see why.

You don’t need any technical knowledge to send an email. As humans we are easy to trick when we are just faced with skilled manipulators and in today’s hectic workplace, many of us work through our emails as quickly as possible without considering the overall picture.

When an average of 90.25% of institutions have detected a phishing attack, institutions need to make sure they are doing all they can to prevent this constant barrage of attacks from causing significant damage.

As one of the respondents said

“The biggest challenge is getting people to understand the 'even with multi-layered defences... a single person can still bring down the whole system” Higher education institution

And it’s not just emails that phishing attacks can come through, it can be any form of communication including texts (smishing), voice (vishing) or now even QR codes (quishing).

But despite phishing being acknowledged as the biggest attack vector, not enough schools are training their staff to be aware of the risk and how to deal with it.

Tips for defending against phishing

The National Cyber Security Centre suggests these four layers to defend against attacks:

1. Make it difficult for attackers to reach your users

• Employ anti-spoofing controls so that attackers can’t pretend to be you: DMARK, SPF, DKIM. As an educational institution you can sign up to NCSC free Mail Check service which will let you know if your anti-spoof controls are all in order
• Understand what information is published that could be used to create spear phishing email – those targeted to a particular person/department with personalised content. You might want to have at look at what a corporate internet investigation might highlight.
• Filter or block incoming phishing emails using your email provider or specific service

2. Help users identify and report suspected phishing emails

• Ensure your staff know the warning signs of a phish but understand that they can be very difficult to spot
• Ensure staff know what to do if they get a phishing attack and what to do it they are tricked

3. Protect your organisation from the effects of undetected phishing emails

• Consider which devices need what defence. It might be disabling macros, the autorun feature or blocking specific extensions known to be used by specific malware.
• Use a proxy service to block any attempt to reach websites which have been identified as hosting malware or phishing campaigns
• Set up 2FA/MFA wherever possible
• Use a password manager or a single sign on method. Due to the autofill component, then user will get used to not having to fill in their password and may be more likely to question it when they have to.

4. Respond quickly to incidents

• Use a security logging system to pick up on those incidents that your users are not aware of.
• Have an incident plan ready and test it. The ECRC has a free template you can download and use for your organisation is you haven’t got a plan yet and you can test your plan with Exercise in a box.

Reporting phishing

You want your staff to report a phishing attack as soon as they realise they have fallen victim, rather than waiting until a forensic investigation identifies it.

The National Cyber Security Centre (NCSC) have created an enterprise Outlook add-in for staff to be able to report email phishing directly from their email box. The NCSC will the actively seek to disrupt the criminals sending these messages, protecting you from them as well as the wider community.

And you can report more than emails.

• Reporting a suspicious website - https://www.ncsc.gov.uk/section/about-this-website/report-scam-website.
• Reporting a suspicious email – forward to report@phishing.gov.uk
• Reporting a suspicious text message – send to 7726. This free-of-charge short code enables your provider to investigate the origin of the text and take action, if found to be malicious.

Further guidance & support

The Eastern Cyber Resilience Centre provides both individual and corporate internet discovery so you can see what information could be used to craft that phishing attack. We also provide Staff Awareness Training, but did you know your local police protect officer might be able to do this too? We train and mentor local university students, so when we say affordable, it really is. Find out more here.

The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the intention of increasing cyber resilience of SMEs within the East of England.

You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.

We also provide free guidance on our website and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.

Policing led – business focussed.