Sydney, Australia – 21 February 2024 – Proofpoint, Inc., a leading cybersecurity and compliance company, today released new research showing that more than four in five (82%) of Australia’s higher education institutions are lagging behind on basic cybersecurity measures, leaving more than 1.5 million¹ students and staff at an increased risk of email-based impersonation attacks.

These findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of 132 of Australia’s public universities, private universities, and non-university higher education institutions. DMARC is an email validation protocol designed to protect domain names from being misused by cyber criminals. It authenticates the sender's identity before allowing a message to reach its intended destination. DMARC has three levels of protection²– monitor, quarantine and reject,with reject being the most secure for preventing suspicious emails from reaching the inbox.

Proofpoint’s research reveals that 82% of Australia’s higher education institutions have not implemented the recommended and strictest level of DMARC protection (reject), leaving them open to email fraud and domain spoofing attacks. Worryingly, almost one quarter (24%) of these institutions have not implemented a DMARC record at all. By failing to take appropriate measures to proactively block attackers from spoofing their email domains, these institutions are leaving students, staff, and stakeholders wide open to cyber threats and email-based impersonation attacks.

Proofpoint’s analysis emerges as the Australia Competition and Consumer Commission (ACCC) revealed that Australians lost almost $80 million ($79,937,976) to email-based attacks in 2023. Email was the second highest delivery method for scams behind text messages, with 85,941 email-based scams reported throughout the year. This is an increase of more than 65% compared to 2022, which saw a total of 52,159 reports. Last year, Proofpoint’s 2023 State of the Phish report revealed that 94% of Australian organisations experienced at least one successful email-based phishing attack in 2022, with almost half (48%) reporting direct financial losses.

“No matter their size, popularity, or financial standing, universities and higher education institutions remain an attractive target for cyber criminals due to the large and diverse amount of data they store,” says Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan, Proofpoint. “They also hold some of the most valuable data in the country, which can be attractive to cyber criminals for a range of reasons. From sensitive information such as addresses, contact details, and credit card information to employee information such as tax file numbers and government data, cyber criminals will stop at nothing to obtain the range of data held inside these systems.”

“Email continues to be the vector of choice for cyber criminals and Australian higher education institutions remain a key target. It’s incredibly concerning to see that only 18% of these institutions are fully protected from cyber threats, especially following some of the biggest years for data breaches in the nation’s history. Implementing email authentication protocols such as DMARC provides a crucial line of defence to strengthen protection against email scams and ensure the safety of students, staff, and other employees and stakeholders from harmful cyber threats,” concludes Moros. 

The full findings of Proofpoint's DMARC analysis of Australia’s higher education institutions show:

• 82% of schools currently do not enforce the recommended strictest level of DMARC (reject), while 24% of schools do not have any DMARC record at all, leaving them wide open to email fraud and domain spoofing attacks.
• 76% of schools have some form of DMARC adoption in place, though these policy levels differ as follows:
• 18% have DMARC – Reject in place, the strictest recommended level which blocks unqualified emails from getting to the recipient.
• 16% have DMARC – Quarantine, which directs unqualified emails to go to the recipient's junk or spam folder.
• 42% have DMARC – Monitor, which does not change how inboxes receive emails but allows senders to collect information about their email sources.

Below are some best practices Proofpoint recommends:

• Check the validity of all email communication and be aware of potentially fraudulent emails impersonating education bodies.
• Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked.
• Follow best practices when it comes to password hygiene, including using strong passwords, changing them frequently and never re-using them across multiple accounts.

In the current landscape, Apple, Google and Yahoo! have announced recent initiatives that require email authentication to be able to send messages from their platforms. This move signifies that important steps being taken to prevent spam and scams. These security requirements will apply especially to accounts that send large volumes of emails per day, which will have to have the DMARC authentication protocol deployed, amongst other measures. Failure to comply will significantly impact the deliverability of legitimate messages to customers with Gmail and Yahoo! accounts.

This analysis was conducted in February 2024 using data from the Australian Department of Education³

###

About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube 

###

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.

¹ Universities Australia

² Monitor (allows unqualified emails to go to the recipient's inbox or other folders), Quarantine (directs unqualified emails to go to the junk or spam folder) and Reject, the highest level of protection, (blocks unqualified emails from getting to the recipient).

³ Australian Department of Education