Proofpoint: 97% of top universities in UK, US and Australia putting students, staff, and stakeholders at risk of being impersonated by cybercriminals

Professional Managing Digital Risk and Compliance

Research finds that none of the UK’s top 10 universities actively block fraudulent emails from reaching recipients

Proofpoint, Inc., a leading cybersecurity and compliance company, today released new research identifying that 97% of the top universities in the United Kingdom, the United States and Australia are lagging on basic cybersecurity measures, subjecting students, staff and stakeholders to higher risk of email-based impersonation attacks.

Proofpoint’s research found that 97% of the top ten universities [1] across each country are not taking appropriate measures to proactively block attackers from spoofing their email domains, increasing the risk of email fraud. This figure rose to 100% amongst the top 10 UK universities, with none actively blocking fraudulent emails from reaching recipients.

These findings are based on Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of the top ten universities in each country. DMARC [2] is an email validation protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender's identity before allowing a message to reach its intended destination. DMARC has three levels of protection – monitor, quarantine and reject,[3] with reject being the most secure for preventing suspicious emails from reaching the inbox.  

With a record 320,000 UK sixth-formers applying for higher education places this summer, students will be eagerly awaiting email correspondence regarding their applications when A Level results are announced on the 18th of August. The uncertainty and unfamiliarity with the process, as well as the increase in email communication provides a perfect storm for cybercriminals to trick students with fraudulent phishing emails.

“Higher education institutions are highly attractive targets for cybercriminals as they hold masses of sensitive personal and financial data. The COVID-19 pandemic caused a rapid shift to remote learning which led to heightened cybersecurity challenges for education institutions opening them up to significant risks from malicious email-based cyber-attacks, such as phishing,” says Adenike Cosgrove, Cybersecurity Strategist at Proofpoint. “Email remains the most common vector for security compromises across all industries. In recent years, the frequency, sophistication, and cost of cyber attacks against universities have increased. It is the combination of these factors that make it especially concerning that none of UK top ten universities is fully DMARC compliant.”

Key findings from the research include:

  • None of the UK’s top 10 universities have implemented the recommended and strictest level of protection (reject), which actively blocks fraudulent emails from reaching their intended targets, meaning all are leaving students open to email fraud.
  • Whilst 80% have taken the initial steps by publishing a DMARC record, the majority (75%) only have a monitoring policy in place for spoofed emails. This policy freely allows potentially malicious spoofed emails into the recipient’s inbox.
  • 2 out of the 10 top UK universities (20%) do not publish any level of DMARC record.

The World Economic Forum reports that 95% of cybersecurity issues are traced to human error, yet according to Proofpoint’s recent Voice of the CISO report, Chief Information Security Officers (CISOs) in the education sector underestimate these threats, with only 47% believing users to be their organisation's most significant risk. Concerningly, education sector CISOs also felt the least backed by their organisation, compared to all other industries.

With the shift to remote (and more recently, hybrid) learning, Proofpoint experts anticipate that the threat to universities will continue to increase. The lack of protection against email fraud is commonplace across the education sector, exposing countless parties to impostor emails, also referred to as business email compromise (BEC).

BECs are a form of social engineering designed to trick victims into thinking they have received a legitimate email from an organisation or institution. Cybercriminals use this technique to extract personal information from students and staff by using luring techniques and disguising emails as messages from the university IT department, administration, or a campus group, often directing users to fake landing pages to harvest credentials.

“Email authentication protocols like DMARC are the best way to shore up email fraud defences and protect students, staff, and alumni from malicious attacks. As holders of vast amounts of sensitive and critical data, we advise universities across the UK to ensure that they have the strictest level of DMARC protocol in place to protect those within their networks.

“"People are a critical line of defence against email fraud but their actions remain one of the biggest vulnerabilities for organisations. DMARC remains the only technology capable of not only defending against but eliminating domain spoofing or the risk of being impersonated. When fully compliant with DMARC, a malicious email can't reach your inbox, removing the risk of human interference,” concluded Cosgrove.

Best practice for students, staff and other stakeholders:

  • Check the validity of all email communication and be aware of potentially fraudulent emails impersonating education bodies.
  • Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked. 
  • Follow best practices when it comes to password hygiene, including using strong passwords, changing them frequently and never re-using them across multiple accounts.

This analysis was conducted in May 2022 using data from QS Top Universities.

About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including 75 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.


[2] What is DMARC?

[3] Monitor (allows unqualified emails to go to the recipient's inbox or other folders), Quarantine (directs unqualified emails to go to the junk or spam folder) and Reject, the highest level of protection, (blocks unqualified emails from getting to the recipient).