Fake invoices are easier to detect if these piggyback emails that came from people you don’t know. We are well aware of the messages from complete strangers may range from complete irrelevant to dangerous as it harbors malware, placing the victim into cybersecurity trouble. Even phishers and cybercriminals know that basic principle of safe computing, they continue to devise ways on how to trap their potential victims. This is through social manipulation, what is the chance that you will open an “invoice” sent to you by your manager “John”? In that same email, your boss ordered you check out the email and report to him if there is any discrepancy – a call to action. And of course, the FROM: header says the email really came from “John” right, so what’s wrong?
The scenario above is far too common, especially for organizations with public information. One such institution is schools, colleges, and universities. The officers of an educational institution are usually known through its official websites, many times even their email address is publicly accessible. These phishers can then fake the FROM: header, to show to the receiving employee that the phishing email came from manager “John”, and that same email requires a call to action on the part of the employee, open the invoice. Unless the employee is cybersecurity-aware, it is fairly difficult not to just go with the flow, open the attachment with a malicious invoice and all hell breaks loose as the unknown malware at that point infects the hard drive and all the shared drives where the user has to write access to.
The most at-risk entity of all educational institutions are the state universities and colleges. As these entities are directly linked with other government institutions, as these are considered as government-owned and controlled companies by themselves. It will not be very surprising that the state university/college network is just a subnet of the entire government network infrastructure. This creates a worrying atmosphere that with enough sophistication, complexity, and flexibility, cybercriminals through their creations will be able to penetrate.
“In its recent report, the National Cyber Security Centre (NCSC) revealed that university-related phishing scams have significantly increased over the past year, while its list of top 10 phishing takedowns in 2018 included three universities and the Student Loans Company. With student data and records at risk, universities need to consider how best to protect their people from falling prey to these attacks as they become more frequent,” highlighted Tim Sadler, CEO of Tessian, a cybersecurity consulting firm.
One such example was Lancaster University’s case, where a fake invoice was opened by one of its staff. The incident caused student records, including those who were still applicants for university slots. Since the incident, the University is trying to recover while identifying the actual reason for the data breach.
“This work of our incident team is ongoing, as is the investigation by law enforcement agencies. We are aware that fraudulent invoices are being sent to some undergraduate applicants. We have alerted applicants to be aware of any suspicious approaches. We are contacting those students to advise them what to do,” explained Lancaster University spokesperson.