Education pays, and cyber criminals have been taking the lesson to heart. News broke that Trinity College Dublin’s fundraising arm lost an estimated €1 million in a suspected email fraud. In the same week, it emerged that seven out of ten UK universities have fallen victim to phishing scams.
Trinity College Dublin’s fundraising arm confirmed its bank had alerted it to suspicious activity in its accounts. The Irish Sun estimated that the total amount scammed could be as much as €1 million. Trinity Foundation hasn’t commented on the reported figure.
UK universities appear to offer similarly rich pickings. The authentication company Duo Security filed Freedom of Information requests to 70 institutions. It discovered that 72% had suffered a phishing incident.
Seven of the universities that responded said they had been struck more than 50 times. 12 of the 70 universities suffered ten incidents or more in the past year.
In February, the UK’s fraud and cybercrime reporting centre Action Fraud warned about a phishing scam specifically targeting UK university staff. A bogus email would arrive, claiming to be from university HR departments, telling recipients they were due for a pay increase. The link in that message led to a fake website asking for personal details such as university login and other financial information.
It’s not hard to see why scammers might target an organisation like Trinity Foundation (2016 income: €73 million). Duo Security also offered other reasons. “They have a large, diverse user base consisting of students, faculty and staff, and they hold the sensitive personal information for these users as well as alumni. In addition, universities are frequently involved in grant funded, innovative research that is valuable to a motivated attacker.”
As a side note, kudos to the communications team at the Trinity Foundation whose statement described the incident clearly and factually as ‘an apparent computer-based fraud’. The same credit is not due to eager sub-editors at various media outlets who rushed to dub the incident a ‘cyberattack’.
To be fair, the former description does not make for a catchy headline – and it probably isn’t great for SEO rankings, either. But as we noted on this blog recently, it’s better not to use the phrase ‘cyberattack’ when describing a relatively common, unsophisticated and non-destructive security incident.
There’s a bigger point here than just being pedantic. Using words like ‘fraud’ or ‘scam’ turn incidents like this into an easily understood business risk rather than a complex technological problem. They’re successful because criminals exploit procedural weaknesses, not IT gaps.
It’s probably cold comfort to anyone who has lost money to a cyber scam, but even the biggest companies aren’t immune. Last week, Fortune disclosed that the victims in a $100 million payment fraud turned out to be none other than Google and Facebook.
Some simple operational controls could help organisations from succumbing to scams where money, rather than data is at stake. For example, by making it mandatory for two parties to sign off on any money transfer over a certain defined value.
At a more basic level, they could create a rule so that if anyone gets an email that seems to come from a colleague or senior figure within the university, requesting an urgent transfer of money, the employee should call that person first (not by replying to the email) to confirm whether or not the message was genuine.
Organisations can reinforce that rule through regular, targeted security awareness training to key staff whose hands hold the proverbial purse strings.