Students at universities in the United States have been pegged as good targets for online criminals, the security company RSA notes in a recent report.
The first month of 2010 marked a new record in the total number of monthly phishing attacks for RSA’s Anti-Fraud Command Center, at 18,820, up from 8,497 in January 2009. The center now monitors more than 300 organizations in 140-plus countries. RSA, a division of the information firm EMC, says that it has noticed several attacks focused on servers at American universities so far this year, although no total is given, compared with a “minimal number” of total attacks in 2009.
“This sudden reversal may mark a new trend in phishing and online fraud—and a source for concern within the education sector,” the report’s authors write.
Scott L. Ksander, chief information security officer at Purdue University, said it’s important to note that RSA is a private company that deals with security concerns, but its findings have merit. The number of phishing attempts at Purdue has risen during the economic downturn, which Mr. Ksander expected because economic fraud can be a quick way to make money.
Mr. Ksander said one reason universities are generally a good target for phishers is because they are large and concentrated entities.
“Everybody who lives in Lafayette doesn’t have a Lafayette town e-mail address, but everybody at Purdue has a Purdue e-mail address,” he said, referring to West Lafayette, Ind., where Purdue’s main campus is located.
The report, issued last month, says that at colleges and universities, phishing attacks focus on stealing students’ log-in credentials. About 70 percent of the recent attacks were aimed at online portals of universities, while 30 percent of the attacks focused only on Web-mail services, according to the company.
The RSA report’s authors say compromised e-mail accounts could give phishers “another foothold in students’ personal computers, since compared with other unsolicited e-mail content, spam e-mails would gain credibility when coming from peers, especially if messages are sent from a university.”
Other targets include social-networking sites, where phishers send messages that look like they’re sent from other users in the network, and spam e-mail that looks like it came from the university’s internal network.
The report says universities facilitate phishers’ work because they don’t educate students on cybersecurity. Additionally, the report says, “while most universities do not employ sophisticated security measures that are commonly deployed by government, business, and financial institutions, their portals often do harbor sensitive information about each of their students.”
Mr. Ksander disagreed, saying that his university offers education, and students are keenly aware of online fraud.
“I think it is true that we’ve seen a targeting of higher-education communties. I don’t dispute that,” Mr. Ksander said. “But this notion that students aren’t tech-savvy and are easy pickings for the bad guys, we certainly don’t see that.”
