Google, in collaboration with Mandiant, has issued a warning about a surge in phishing campaigns targeting higher education institutions in the United States.
These attacks, observed since August 2024, exploit the trust within academic ecosystems to deceive students, faculty, and staff.
The campaigns are strategically timed to coincide with critical academic periods, such as the start of the school year and financial aid deadlines, making them particularly effective.
Evolving Tactics in Phishing Campaigns
Three distinct phishing campaigns have been identified, each employing advanced methods to compromise institutional security.
In one campaign, attackers used compromised university domains to host malicious Google Forms.
These forms mimicked legitimate university communications and were tailored to specific institutions by incorporating school logos, colors, and branding.
Victims were tricked into providing sensitive information such as login credentials and financial details.
Although these forms have been removed, at least 15 universities were targeted during this operation.
Another campaign involved cloning university login portals and hosting them on attacker-controlled infrastructure.
These fake websites often used obfuscation techniques, such as JavaScript redirects targeting mobile devices, to enhance their legitimacy.
Victims who entered their credentials unknowingly handed over access to attackers, who then used these accounts for further phishing attempts or financial fraud.
A third campaign employed a two-step approach: phishing emails were sent to faculty and staff under the guise of salary updates or bonuses.
Once their accounts were compromised, attackers used them to distribute fraudulent job application forms to students, seeking personal and financial information.
Payment Redirection Attacks
A significant threat observed in these campaigns involves payment redirection attacks.
Cybercriminals gain unauthorized access to email accounts through phishing or social engineering.
They then monitor financial communications to impersonate legitimate users and redirect payments into their own accounts.
These attacks often target large transactions like financial aid disbursements, payroll, scholarships, or vendor payments.
In some cases, attackers divert smaller amounts over time to evade detection.
To counter these threats, Google emphasizes the importance of multi-layered security measures:
- Multi-Factor Authentication (MFA): Requiring MFA for all accounts significantly reduces the risk of unauthorized access.
- Employee Training: Regular training sessions can help staff recognize phishing attempts and verify unusual requests.
- Advanced Email Security: Tools leveraging AI can detect and block malicious emails before they reach users.
- Payment Verification Protocols: Implementing strict procedures for verifying changes in payment details can prevent fraudulent transactions.
Google Workspace’s built-in protections also play a critical role by blocking 99.9% of spam and phishing attempts using AI-driven threat detection.
The impact of these phishing campaigns extends beyond financial losses.
Institutions face reputational damage and operational disruptions as they work to recover from attacks.
According to the Report, Google urges academic institutions to adopt robust incident response plans and proactive security measures to mitigate risks effectively.
As cybercriminals continue to refine their tactics, heightened vigilance and collaboration across the education sector remain essential in combating these sophisticated threats.
