85% of UK’s top 20 Universities putting staff, students and suppliers at risk of email fraud


London (UK), 23 September 2021 - Proofpoint, Inc. a leading cyber security and compliance company, today released research identifying that only 15 percent of the UK’s top 20 universities have implemented the recommended and strictest level of DMARC (Domain-based Message Authentication, Reporting & Conformance) protection, which prevents cybercriminals from spoofing their identity and reduces the risk of email fraud. Worryingly, this leaves students, staff and suppliers open to email fraud from 85 percent of the UK’s top universities.

With a record number of new students set to attend university this autumn, combined with hybrid approaches to online learning and COVID restrictions on international travel, this time of high stress and unfamiliar surroundings provides a prime opportunity for cybercriminals to capitalise on the increase in email communication to trick students with phishing emails.

“Our research has shown that many UK universities are still exposing people to cybercriminals on the hunt for personal and financial data by not implementing simple, yet effective email authentication best practices,” says Adenike Cosgrove, cybersecurity strategist, international for Proofpoint. “Email continues to be the vector of choice for cybercriminals and the education sector remains a key target.”

Cybercriminals regularly use the method of domain spoofing to pose as well-known organisations and companies by sending an email from a supposedly legitimate sender address. These emails are designed to trick people into clicking on links or sharing personal details which can then be used to steal money or identities.

It can be almost impossible for an ordinary Internet user to identify a fake sender from a real one. By implementing the strictest level of DMARC – “Reject” – universities can actively block fraudulent emails from reaching their intended targets, protecting their students, staff, and partners from cybercriminals looking to impersonate their brand.

Proofpoint conducted a similar study in July 2019 ahead of A-level results day, and although some progress has been made, few universities are yet to implement the recommended level of protection.

Key findings from the research include:

  • Encouragingly, more than two-thirds of universities analysed have taken initial steps to protect their customers from email fraud, with 70% publishing a DMARC record. This is a 100% increase since 2019 and shows that many top universities have started their DMARC journey, however much more needs to be done to actively protect email users from attacks impersonating these universities.


  • Only 15 percent have implemented the recommended and strictest level of DMARC protection (reject), which actually blocks fraudulent emails from reaching their intended targets, meaning 85 percent are leaving students open to email fraud.


  • Of the 20 universities analysed, 6 had no DMARC record, meaning they have not taken any steps towards implementing this simple yet powerful form of authentication.

Organisations in all sectors should deploy authentication protocols, such as DMARC, to shore up their email fraud defences. Cybercriminals pay close attention to major trends and will drive targeted attacks using social engineering techniques such as impersonation, and universities are no exception to this. As the university term begins, students and staff must be vigilant in checking the validity of all emails, especially when levels of uncertainty and anticipation are higher at the beginning of a new term”, concludes Cosgrove.

Proofpoint recommends students and other individuals follow the below top tips to remain safe online:

  1. Use strong passwords:  Do not reuse the same password twice. Consider using a password manager to make your online experience seamless, whilst staying safe. Use multi-factor authentication for an added layer of security.
  2. Watch out for “lookalike” sites: Attackers create “lookalike” sites imitating familiar brands and institutions. These fraudulent sites may pose as a credible establishment, be infected with malware, or steal money or credentials.
  3. Dodge potential phishing and smishing attacks: Phishing emails lead to unsafe websites that gather personal data, like credentials and credit card data. Watch out for SMS phishing too —aka ‘smishing’ — or messages through social media.
  4. Don’t click on links: If receiving correspondence from a university over email, Proofpoint recommends students go directly to the university’s website by typing in the known web address into their browser.


About DMARC:

For many organisations, the road to easing email fraud risk is paved with DMARC (Domain-based Message Authentication, Reporting and Conformance), an email protocol being adopted globally as the passport control of the email security world. It verifies that the purported domain of the sender has not been impersonated. DMARC verification relies on the established DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards to ensure the email is not spoofing the domain. This authentication protects employees, customers, and partners from cybercriminals looking to impersonate a trusted domain.

To find out more about DMARC, visit https://www.proofpoint.com/uk/products/email-fraud-defence


To assess the level of DMARC adoption among the top 20 universities in the UK, Proofpoint conducted an analysis of the primary corporate domains of the top 20 universities as compiled by The Complete University Guide on https://www.thecompleteuniversityguide.co.uk/league-tables/rankings. All analyses were carried out in September 2021.


About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyberattacks. Leading organisations of all sizes, including more than half of the Fortune 1000, rely on Proofpoint’s people-centric security and compliance solutions to mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.

Connect with Proofpoint: Twitter LinkedIn | Facebook YouTube

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.