Higher Ed, Nonprofits at the Top of Cyberattackers’ Lists

Anyone who has met ACUI President Ian Crone, director of the student union at the University Tennessee, also knows he is an outgoing guy with a positive persona. So when Susan Canady, the assistant director of event and guest services at the University of Maryland who chaired planning for this year’s ACUI Annual Conference, got an email out of the blue from Crone about an “ask” he wanted to make, Canady thought nothing of it.

That was until she took the time to check the email address Crone’s message had come from: executiveboard484@gmail.com. For Canady, that was an easy catch for a phishing scam, something employees in higher education are dealing with more often. Since 2021, researchers have consistently found that higher education is the number one target for cyberattacks, and 96% of those attacks come in the form of phishing—or the fraudulent practice of sending emails to glean private information.

In the above case involving two ACUI volunteers, Canady sent Crone an email to the work address she had historically used to communicate with him, and Crone immediately confirmed Canady’s suspicion. He then sent a new message sharing an alert with many of his contacts.

Higher education is a prime target for phishing scams not only due to the vast amount of private data housed, from student personal information to research data, but also because of its operational habits. The industry has high turnover rates, so users come and go frequently. There are also a great number of unregulated personal devices in use at any time; and finally, there are extreme activity peaks based upon time of year. Each of these attributes adds to the challenges of staying wary about phishing attacks.

Coupled with that, nonprofit associations are today coming under attack more often, according to InfoSecurity Magazine, which reported a 35.2% increase in email-based attacks to nonprofits in 2024.

One of the leading methods currently used in phishing attacks is the theft of credentials by directing uses to a copycat of an institution’s or organization’s login page. When the user visits the page, the copycat site proxies the user’s credentials and multi-factor authentication input into the legitimate page, allowing the attacker to receive a valid session cookie. The user is then directed to the expected page, unaware that the login information has been compromised.

REN-ISAC, or the Research and Education Networks Information Sharing and Analysis Center, a consortium operated by over 700 colleges and universities, announced it had seen a spike in August in this type of phishing “that bypasses multifactor authentication by relaying logins through reverse proxy pages, stealing session cookies, and granting attackers full access.” Cybersecurity company BforeAI CrimeLab said this method was used to attempt access to the U.S. Department of Education’s website last month.

Some of the best defenses begin with the implementation of password management services that enable users to store, generate, and manage online credentials. These usually are operational between all use applications and synchronize across multiple devices.

Another tool is enrolling users in security awareness training courses. As campuses work to reduce the risk of security incidents these awareness training are becoming a requirement for employment. Quite often, additional courses are required for employees working with sensitive data like health care, finances, and information technology.

The U.S. Cybersecurity and Infrastructure Security Agency notes that an effective incident response plan is integral to maintaining a robust cybersecurity presence in an organization. These plans usually include clearly defining who plays what role in a response, having “playbooks” on hand for specific scenarios, and conducting ongoing practices and trainings. A beginner’s guide is available as a  CISA phishing infographic, and educational material offering guidance on how to avoid falling for phishing attacks is available in this CISA guide.