Proofpoint released new research indicating that a significant number of the top universities in the Middle East are lagging behind on basic cybersecurity measures, subjecting students, staff, and stakeholders to a higher risk of email fraud.
These findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) adoption analysis of the top universities based in the Middle East. DMARC is a critical email authentication protocol that helps protect domain names from being misused by cybercriminals. With three levels of protection—monitor, quarantine, and reject—DMARC ensures that only verified senders can send emails using a university’s domain. The ‘reject’ policy is the most secure, preventing any fraudulent emails from reaching the inbox.
The analysis found that while more than half (55%) of the top universities have published a Domain-based Message Authentication, Reporting, and Conformance (DMARC) record, only 13% have implemented the strictest level of protection (‘reject’), meaning 87% of universities are leaving stakeholders vulnerable to email-based impersonation attacks.
“Our research shows that a majority of Arab universities are not taking full advantage of basic email security capabilities to safeguard their communities from email fraud,” said Emile Abou Saleh, Regional Director, Middle East, Turkey, and Africa at Proofpoint. “Cybercriminals often target educational institutions because they hold vast amounts of sensitive data. Universities must adopt stronger measures, such as DMARC, to better protect their students, staff, and partners.”
Key findings from the analysis include:
- Although over half of the universities (55%) have a basic DMARC policy in place, this is only the initial step in protecting against email fraud. This means that 45% are not taking to steps protect their communities from email fraud.
- Only 13% of the top universities have implemented DMARC at ‘reject’ level. Therefore, a staggering 87% remain at risk of allowing fraudulent emails to be delivered to their recipients.
- There has been a slight decrease in the level of DMARC adoption among the top ranked universities in the Middle East year-on-year. In the list of top ranked universities in 2023, 61% of the top universities had published a DMARC policy, with 16% implementing this at ‘reject’ level.
“Organizations in all sectors should deploy authentication protocols, such as DMARC, to shore up their email fraud defences. Cybercriminals pay close attention to major trends and will drive targeted attacks using social engineering techniques such as impersonation, and universities are no exception to this. Students and staff must be vigilant in checking the validity of all emails, especially when levels of uncertainty and anticipation are higher at the beginning of a new term,” continues Abou Saleh.
Email continues to be the number one threat vector in the Middle East. Proofpoint’s 2024 State of the Phish Report revealed that while successful phishing attacks have slightly declined globally, in the UAE they are on the rise (92% of surveyed organizations in the UAE experienced at least one successful attack in 2023 versus 86% the previous year. In addition, in the UAE, 85% of organizations were targeted by BEC attacks in 2023 (up from 66% in 2022).
Proofpoint recommends students and other individuals follow the below top tips to remain safe online:
- Use strong passwords: Do not reuse the same password twice. Consider using a password manager to make your online experience seamless, whilst staying safe. Use multi-factor authentication for an added layer of security.
- Watch out for “lookalike” sites: Attackers create “lookalike” sites imitating familiar brands and institutions. These fraudulent sites may pose as a credible establishment, be infected with malware, or steal money or credentials.
- Dodge potential phishing and smishing attacks: Phishing emails lead to unsafe websites that gather personal data, like credentials and credit card data. Watch out for SMS phishing too —aka ‘smishing’ — or messages through social media.
- Don’t click on links: If receiving correspondence from a university over email, Proofpoint recommends students go directly to the university’s website by typing in the known web address into their browser.