Common phishing tactics in the education sector
Attackers impersonate the institution’s IT department, asking users to reset their passwords or provide login credentials.
Fake notice emails that appear to come from school administrators, notifying recipients of urgent policy changes, grades, or schedule updates that require clicking on a malicious link.
Phishing emails are sent promising scholarships, grants, or financial aid that require students to provide personal and financial information.
Targeted phishing emails at faculties, which pose as collaboration opportunities from reputable institutions or researchers, aiming to steal sensitive research data.
Attackers will send links to fake login pages that resemble those of the institution’s online portal, tricking users into entering their credentials.
Common types of phishing
Spear phishing
Spear phishing attacks are highly targeted, focusing on specific individuals or small groups. Attackers gather personal information about their targets to craft convincing messages that seem legitimate and tailored. This personalised approach makes spear phishing more difficult to detect and often more effective.
Vishing
Vishing, or “voice phishing,” is a type of phishing attack conducted over the phone. Instead of using emails with malicious links or attachments, vishers try to trick their victims into revealing sensitive information, such as credit card details or personally identifiable information (PII). They may also convince targets to install malware on their devices, all through persuasive phone conversations.
Smishing
Smishing is a form of phishing carried out via SMS text messages. These messages typically claim there’s an issue with the recipient’s account, prompting them to click on a link that leads to a phishing page. Once on the page, attackers can steal login credentials or other sensitive information.
Whaling
Whaling attacks are a specialised type of spear phishing aimed at high-level executives, such as CEOs or CFOs. Because these individuals have the authority to approve large financial transactions or access confidential information, they present a highly attractive target for cybercriminals.
Business Email Compromise (BEC)
Business Email Compromise, also known as CEO fraud, involves attackers impersonating a high-level executive and instructing employees to carry out specific actions, such as transferring funds to a fraudulent account. BEC attacks are often highly sophisticated and rely on the trust employees place in their company’s leadership.
AI Voice Scams
These are increasing with the use of AI becoming more prominent. Advanced technology is used to mimic a person’s voice, often impersonating a trusted individual like an executive. Scammers can create convincing audio clips or real-time conversations using just a small sample of someone’s voice, which they then use to deceive targets into sharing sensitive information or transferring money. These scams are becoming increasingly sophisticated, making it harder to detect the fraud and emphasising the need for caution when receiving unexpected calls or requests.
Teams invites
Threat actors are increasingly using fake Microsoft Teams invites as a method to launch phishing attacks. By mimicking legitimate Teams meeting invitations, they trick recipients into clicking malicious links or downloading harmful attachments, often disguised as meeting details or files. Since many businesses rely on Teams for communication, these fraudulent invites can appear convincing and bypass typical security filters. Once the user interacts with the malicious content, threat actors can gain access to sensitive data, steal credentials, or install malware, posing a serious risk to organisations.