Protecting Educational Organizations in the Crosshairs of Cyberattacks

From phony financial aid offers to student loan relief scams – and phishing emails designed to steal student information – educational institutions and students face a barrage of cyberthreats every day.

Education Cybersecurity

Nearly all of the top 20 universities in the US are at risk of scammers impersonating their institutions’ domains in phishing emails. Higher education continues to lag in adopting Domain-based Message Authentication, Reporting and Conformance (DMARC), an email security protocol designed to protect against potential phishing and address spoofing. About 40% of the top 20 US universities didn’t use DMARC records less than two years ago. While the other universities surveyed had published a DMARC record, the DMARC policies hadn’t been set up to “quarantine” or “reject” emails from unauthorized senders using its domains.

Why should colleges and universities implement DMARC? Without those records in place, it’s easy for hackers to impersonate a university student, professor or administrator, fooling recipients into thinking the email originates from a legitimate email domain.

Industries have long been targets for cybercriminals, and these bad actors are increasingly focusing their crosshairs on the education sector, which tends to have fewer protections in place.

Why Cybercriminals Target Schools

K-12 schools, colleges and universities make tempting targets because each is a vast data repository. While educational institutions had started to increase their use of technology – computers, networks, cloud storage – before 2020, the pandemic sped up its adoption to ensure everyone had access to learning regardless of location.

Increased attacks – and the growing complexity behind those attacks – carries serious implications for:

  • Student, teacher, parent and administration communication.
  • School budgets and other financial data.
  • Network passwords and other sensitive, personal employee data.
  • Grades and other sensitive, private student data.
  • Enterprise and educational data.

It takes only a single parent, student, teacher or administrator to click on a phishing email to launch a cyberattack. And schools have increased their reliance on digital devices, providing students with laptops, tablets and Chromebooks to support the use of apps and online programs for instruction.

It isn’t just schools but education and technology companies themselves that have seen increased targeting. For example, Hackers used a ransomware attack to target Finalsite, a private company providing web hosting and other communications services, in January 2022. This attack impacted about 3,000 K-12 schools in the US – and it’s just one of the hundreds of publicly disclosed cyberattacks levied against K-12 schools occurring annually. To put it in perspective, the K12 Security Information Exchange has logged over 1,300 cybersecurity-related incidents since 2016.

The Solution? A Multipronged Approach.

While there’s no magic pill to eliminate risk, educational institutions can – and should – take steps to mitigate it and protect themselves.

First, school districts, colleges and universities should conduct a risk assessment to identify what data they have, its value and its attractiveness to cybercriminals. Next, these organizations should develop and implement an IT and communications strategy that includes responses to cyberattacks. It’s not enough to create the plan – they must practice responses, too, as they would drill for a fire or tornado.

Educational institutions should create backups, too, even if cyber hackers have begun finding ways to expose that data. And backups include more than making copies – organizations should develop a plan that identifies who manages the process, what data, specifically, is backed up, how often to back up data, whether to store on-premise or off-site, and whether to store via traditional methods or the cloud.

Cybersecurity professionals have warned for years against using the same password for multiple accounts or sites. One solution involves using multifactor authentication. While this strategy adds another step to the login process, it also adds another layer of protection, whether by texting a code to a user’s cellphone or sending an email to confirm someone’s identity.

Schools, universities, and colleges shouldn’t leave cybersecurity solely to their IT departments. The most sophisticated detection systems and firewalls aren’t 100% failsafe. Phishing emails will get through. The trick? Teaching staff to recognize and report suspicious emails to prevent data hacks.

Finally, by deploying authentication protocols like DMARC, these organizations increase their defense against email fraud. The first – and only – widely deployed technology ensuring sent emails make use of the domain in the visible From: header, DMARC authentication detects and neutralizes email spoofing techniques used in phishing, keylogging and other email-based attacks.

When implemented at its strictest level, DMARC sends a clear signal that the domain owner only authorizes the use of its domain in the From field under specific circumstances. Mailbox providers who listen to that signal can then refuse to accept mail that contains unauthorized uses of that domain, thus protecting students, parents, staff, faculty, administration and others from cybercriminals intent on stealing personal information.

Increased digital assets and capabilities will only continue to attract cybercriminals. While many organizations have taken steps to shore up their defenses, educational institutions must continue to prioritize cybersecurity and prepare themselves with all available tools to identify and mitigate cyberthreats.


Todd is the Technical Director of Standards and Ecosystem at Valimail. In his role, he works to help advance Valimail’s neutral standards and open-source work and to drive deeper engagements with the IETF, M3AAWG, and other industry groups in the email ecosystem.