Proofpoint research: Leading UK educational institutions lack basic cybersecurity measures - putting students, staff and partners at risk of email fraud

Princeton University

Research finds that 96% of the UK’s state secondary schools are not proactively blocking fraudulent emails from reaching students

London, UK – 1 September 2023Proofpoint, Inc., a leading cybersecurity and compliance company, today released new research identifying that 96% of the top 50 state secondary schools, 92% of the top 50 sixth-form colleges and 80% of the top 50 universities in the UK are lagging behind on basic cybersecurity measures, subjecting students, staff and partners to a higher risk of email-based impersonation attacks. 

The findings are based on Domain-based Message Authentication, Reporting and Conformance (DMARC) adoption analysis of the top state secondary schools, sixth-form colleges, and universities in the country. DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals. It authenticates the sender's identity before allowing a message to reach its intended destination. DMARC has three levels of protection – monitor, quarantine and reject, with reject being the most secure for preventing suspicious emails from reaching the inbox.  

The UK education sector is a prime target for cybercriminals. The National Cyber Security Centre (NCSC) and the National Grid for Learning (LGfL) audit identified that over three-quarters (78%) of UK schools experienced at least one type of cyber-incident in 2022. Worryingly, Proofpoint’s data reveals that 70% of UK schools are currently taking no steps to protect themselves from domain impersonation by having no published DMARC record. This means the UK’s top state secondary schools are falling behind in their levels of cybersecurity hygiene, compared with 84% of the top UK universities and 78% of the top sixth-form colleges who have started their DMARC journey.

“The reason educational institutions remain a highly attractive target for cybercriminals is they hold large amounts of sensitive, personal, and financial data. They also have a wide mix of users and use-cases; and they provide vital facilities, so cancelling exams, writing off grades, and cutting off services is not an option.” said Matt Cooke, Cybersecurity Strategist, Proofpoint. “Email is how the majority of threats arrive at any organisation, so tightening email security should be a top priority.  All users should be educated on the techniques the attackers use to trick, coerce and encourage them to engage with their malicious content.”

Key findings from the research include:

Top 50 state secondary schools in the UK:

  • 96% of the UK’s state secondary schools haven’t implemented the recommended and strictest level of DMARC protection (reject), which actively blocks fraudulent emails from reaching their intended targets, meaning that 48 schools out of 50 are leaving pupils, staff and partners open to email fraud. 
  • Despite this, 30% of the top UK secondary schools have started their journey having published a DMARC record.  This however leaves 70% with no protection against domain impersonation and a heightened risk of email fraud for individuals.

Top 50 sixth-form colleges in the UK:

  • 92% of the UK’s top 50 sixth-form colleges haven’t implemented DMARC at the recommended level (reject), meaning that 46 colleges out of 50 are leaving students open to email fraud.
  • 78% of the UK’s top sixth-form colleges have taken the initial steps by publishing a DMARC record, leaving 22% with no protection against domain impersonation and a heightened risk of email fraud for individuals.

Top 50 universities in the UK:

  • 80% of the UK’s top 50 universities have not implemented the highest level of DMARC protection, meaning that 40 universities out of the top 50 are leaving students open to email fraud.
  • Whilst 84% of the top universities have taken the initial steps by publishing a DMARC record, this still means 16% are taking no steps to protect themselves from domain impersonation and therefore are leaving students, staff, and partners at a heightened risk of email fraud.

The deficiency in protective measures against email fraud remains widespread within the education sector, exposing users to impostor emails, known as business email compromise attacks (BEC). BEC attacks are a form of social manipulation designed to deceive victims into thinking they have received a legitimate email from a trusted contact. In the UK, 86% of organisations reported an attempted BEC attack last year. 

“The challenge is that educational institutions are not known for their sizeable IT budgets or having a multitude of skilled cybersecurity professionals at their disposal, resulting in highly prized information with lower levels of protection – this makes a great target for anyone with malicious intent.”

“As people remain a critical line of defence against email fraud, educational institutions need to ensure that staff, students and parents are aware of basic security hygiene. Email authentication protocols like DMARC remain the best way to shore up email fraud defences, eliminating domain spoofing or the risk of being impersonated. As holders of vast amounts of sensitive and critical data, we advise educational bodies across the UK to ensure that they have the strictest level of DMARC protection in place to protect those within their networks”, added Cooke.

Best practice for students, staff, and other stakeholders:

  • Check the validity of all email communication and be aware of potentially fraudulent emails impersonating education bodies.
  • Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked. 
  • Follow best practices when it comes to password hygiene, including using strong passwords, or considering passwordless authentication, and/or implementing multi-factor authentication (MFA).

This analysis was conducted in August 2023 using data from Parent Power 2023: Best UK schools guide and league table and The Guardian University Guide 2023.


About Proofpoint, Inc.

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available


Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.