Are Educational Institutions at risk from a phishing attack?

Absolutely they are!

The Cyber Breaches 2022 Survey Education Annex has some brilliant insights into what educational institutions are currently facing in terms of cybercrime and as in previous years, phishing is the top detected cyber attack and it’s easy to see why.

Photo of children at school with tablets

You don’t need any technical knowledge to send an email. As humans we are easy to trick when we are just faced with skilled manipulators and in today’s hectic workplace, many of us work through our emails as quickly as possible without considering the overall picture.

Bar chart showing 83% of businesses, 88% of primary schools, 87% of secondary schools, 93% further education colleges and 97% of Higher education institutions have identified phishing attacks when they have said that they have suffered a cyber attack

When an average of 90.25% of institutions have detected a phishing attack, institutions need to make sure they are doing all they can to prevent this constant barrage of attacks from causing significant damage.


As one of the respondents said

The biggest challenge is getting people to understand the 'even with multi-layered defences... a single person can still bring down the whole system” Higher education institution


And it’s not just emails that phishing attacks can come through, it can be any form of communication including texts (smishing), voice (vishing) or now even QR codes (quishing).


But despite phishing being acknowledged as the biggest attack vector, not enough schools are training their staff to be aware of the risk and how to deal with it.

Key for below bar chart. blue = businesses, light green = primary schools, dark green = secondary schools, brown = further education colleges, orange = higher education institutions
Bar chart showing 19% of businesses, 37% of primary schools, 48% of secondary schools, 71% of further education collges and 65% of higher education institutions have tested their staff awareness and response (e.g. mock phishing)

Tips for defending against phishing

The National Cyber Security Centre suggests these four layers to defend against attacks:

Photo of a barrier

1. Make it difficult for attackers to reach your users

  • Employ anti-spoofing controls so that attackers can’t pretend to be you: DMARK, SPF, DKIM. As an educational institution you can sign up to NCSC free Mail Check service which will let you know if your anti-spoof controls are all in order

  • Understand what information is published that could be used to create spear phishing email – those targeted to a particular person/department with personalised content. You might want to have at look at what a corporate internet investigation might highlight.

  • Filter or block incoming phishing emails using your email provider or specific service


2. Help users identify and report suspected phishing emails

  • Ensure your staff know the warning signs of a phish but understand that they can be very difficult to spot

  • Ensure staff know what to do if they get a phishing attack and what to do it they are tricked


3. Protect your organisation from the effects of undetected phishing emails

  • Consider which devices need what defence. It might be disabling macros, the autorun feature or blocking specific extensions known to be used by specific malware.

  • Use a proxy service to block any attempt to reach websites which have been identified as hosting malware or phishing campaigns

  • Set up 2FA/MFA wherever possible

  • Use a password manager or a single sign on method. Due to the autofill component, then user will get used to not having to fill in their password and may be more likely to question it when they have to.


4. Respond quickly to incidents

  • Use a security logging system to pick up on those incidents that your users are not aware of.

  • Have an incident plan ready and test it. The ECRC has a free template you can download and use for your organisation is you haven’t got a plan yet and you can test your plan with Exercise in a box.


Reporting phishing

You want your staff to report a phishing attack as soon as they realise they have fallen victim, rather than waiting until a forensic investigation identifies it.


The National Cyber Security Centre (NCSC) have created an enterprise Outlook add-in for staff to be able to report email phishing directly from their email box. The NCSC will the actively seek to disrupt the criminals sending these messages, protecting you from them as well as the wider community.

And you can report more than emails.


Further guidance & support

The Eastern Cyber Resilience Centre provides both individual and corporate internet discovery so you can see what information could be used to craft that phishing attack. We also provide Staff Awareness Training, but did you know your local police protect officer might be able to do this too? We train and mentor local university students, so when we say affordable, it really is. Find out more here.


The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the intention of increasing cyber resilience of SMEs within the East of England.


You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.


We also provide free guidance on our website and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.


Policing led – business focussed.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.