UK Students at Risk of Email Fraud Ahead of A-Level Results Day

LONDON, UK, 5th  August, 2019Proofpoint, Inc., (NASDAQ: PFPT) a leading cyber security and compliance company, today released research identifying that almost two thirds (65 percent) of the UK’s top 20 Universities have no published DMARC (Domain-based Message Authentication, Reporting & Conformance) record, making them potentially more susceptible to cybercriminals spoofing their identity and increasing the risk of email fraud for students.

With a record 40 percent (236,350) of UK school leavers applying for higher education places this year, students will be eagerly awaiting email correspondence regarding their applications on A Level results day (August 15). However, cybercriminals may be capitalising on the anticipation of email communication from Universities to potentially trick students with fraudulent emails.

“By not implementing simple, yet effective email authentication best practices, Universities may be unknowingly exposing themselves and their students to cybercriminals on the hunt for personal data,” says Kevin Epstein, VP of Threat Operations at Proofpoint. “Email continues to be the vector of choice for cybercriminals. Proofpoint researchers found that the education sector saw the largest year-over-year increase in email fraud attacks of any industry in 2018, soaring 192 percent to 40 attacks per organisation on average.

Key findings from the research include:

  • 65 percent of the top 20 UK University websites currently have no published DMARC record, leaving themselves open to impersonation attacks
  • Whilst 35 percent of the top 20 UK Universities have published a DMARC record, only five percent have implemented the strictest and recommended level of DMARC protection, which actually blocks fraudulent emails from reaching their intended target

Epstein concluded, “Institutions and organisations in all sectors should look to deploy authentication protocols, such as DMARC to shore up their email fraud defences. Cybercriminals are always going to leverage key events to drive targeted attacks using social engineering techniques such as impersonation and universities are no exception to this. Ahead of A Level results day, student applicants must be vigilant in checking the validity of all emails, especially on a day when guards are down, and attentions are focused on their future.”

Best Practice for students:

  • Students should check the validity of all email communication and be aware of potential fraudulent emails impersonating education bodies.
  • Students should be cautious of any communication attempts that request log-in credentials or threaten to suspend a service or an account if a link isn’t clicked.
  • Students should be following best practice when it comes to password hygiene, including using strong passwords, changing them frequently and never re-using them across multiple accounts.


For many organisations, the road to easing email fraud risk is paved with DMARC (Domain-based Message Authentication, Reporting and Conformance), an email protocol being adopted globally as the passport control of the email security world. It verifies that the purported domain of the sender has not been impersonated.  DMARC verification relies on the established DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) standards to ensure the email is not spoofing the domain. This authentication protects employees, customers, and partners from cybercriminals looking to impersonate a trusted domain.

To find out more about DMARC, visit



About Proofpoint, Inc.Proofpoint, Inc. (NASDAQ: PFPT) is a leading cybersecurity company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including more than half of the Fortune 1000, rely on Proofpoint’s people-centric security and compliance solutions to mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube | Google+


Proofpoint is a trademark or registered trademark of Proofpoint, Inc. in the U.S. and other countries. All other trademarks contained herein are the property of their respective owners.