Google Reports Uptick in Higher Education Phishing Attacks

Researchers are warning of a “notable increase” in phishing attacks that are targeting U.S.-based universities and higher education institutions. 

The attacks, which started to increase around August 2024, use an array of tactics to trick students, faculty and staff. They have targeted victims’ login credentials (including logins for school portals), financial information and more.

“Both campaigns exhibited tactics to obfuscate malicious activity while increasing their perceived legitimacy, ultimately to perform payment redirection attacks,” said researchers with Google in a Monday post.

Key Details: 

• In one campaign that targeted at least 15 universities, attackers sent students malicious Google Forms via email, which mimicked legitimate university communications and requested sensitive information like login credentials and financial details. The stolen login credentials were then used by threat actors to host similar campaigns targeting future victims 

• In other campaigns, threat actors cloned university websites in order to mimic the legitimate login portal. As part of this attack, the threat actors scraped university login pages and re-hosted them on attacker-controlled infrastructure, using a series of redirects to further trick targets, said researchers

• Attackers used another technique to target staff and students: A method called two-step phishing. Threat actors would first send phishing emails to victims (with purported information about raises or bonuses), which were designed to steal their login credentials. Then, they would use the stolen login credentials to hijack victims’ accounts and email further phishing forms to students, which were designed to look like job applications

The Background: There are several key social engineering elements tied up in these campaigns. The attacks were timed to coincide with specific dates in the academic calendar, including the beginning of the year or around financial aid deadlines. During these times, students and staff are already dealing with a barrage of administrative tasks, emails and more, creating a lucrative opportunity for attackers to slip in with phishing messages.

Attackers also clearly did their research in how they designed and recreated legitimate university forms and websites, using branding and logos to try to trick students and staff to hand over their sensitive data. At the same time, threat actors used various social engineering tricks to pressure victims to take action, with lures including themes like financial aid disbursement, refund verification, account deactivation and requests for urgent responses to campus medical inquiries.

Why It Matters: Universities sit on a wealth of data - ranging from information affiliated with academic research programs to personal data from students, professors and staff. This has made these institutions popular targets for ransomware, business email compromise and phishing, as we’ve seen over the past few years (in one attack, hackers even hijacked a Virginia university’s emergency alerts system to issue their ransom threats to students and faculty).