Cyber attacks targeting students are nothing new, with many scams typically dangling tempting financial opportunities.
Every year, coinciding with the start of a new term, student loan fraud is common. Freshers in particular are targeted by phishing emails purporting to be from the Student Loan Company and asking for bank account details or username and password credentials before their money is released.
This year, however, a new threat is emerging that is designed to exploit students who may be struggling with coursework. Essay mills are looking to cash in by illegally hacking into higher education intuitions’ websites and covertly placing content in an effort to advertise their scurrilous “services”. The content is designed to appear legitimate by aligning with university services, which makes the deception difficult to spot.
Typically, attackers write on student-facing pages, with hyperlinks to their own websites, or hijack links to legitimate services with redirects to contract cheating sites, all without the permission or knowledge of the university. This type of cyber attack has been noticed at US and Australian universities and we are concerned that similar tactics could well be employed in the UK.
Minimising risk to students
To help combat this activity, Jisc and QAA are collaborating to raise awareness and issue advice directly to universities. Universities must hammer home the message that essay mills are unscrupulous and students who pass others’ work off as their own are committing fraud. Students must understand they risk being asked to leave their course or forfeit a qualification.
Unfortunately, this kind of contract cheating is big business, almost certainly driven by organised crime, and the sooner essay mills are made illegal the better. The Office for Students and Chris Skidmore, MP, are working to outlaw the practice – and we support their efforts.
In the meantime, there are steps that can be taken to minimise risk. We urge universities to follow the technical advice available from Jisc and QAA and to encourage staff and students to stay alert for dubious content and links that don’t go where they should. Users need to know what to look out for and how to report their suspicions.
Unfortunately, this is not the first time in recent months that Jisc has issued sector alerts about cyber threats. In collaboration with the National Cyber Security Centre, warnings have also been issued over ransomware attacks, which have become more prevalent than ever this year.
The number of ransomware attacks on colleges and universities during the first six months of 2021 has exceeded the total recorded for the whole of 2020 and, for some, the impact has been devastating. Entire organisations have been taken offline for weeks, their systems and services crippled, their data irrecoverable.
Braced for the autumn
The spike in this type of cyber attack began a year ago and the timing wasn’t a coincidence. For the first time, attacks caused maximum disruption during the critical period around exam results, clearing and student enrolment. Jisc’s security team is braced for similar activity during August and September this year – and we’d warn our members to be ready, too.
The incidence of distributed denial of service attacks (DDoS) attacks against colleges and universities has slightly reduced over the past year or so because of lockdown, but the number of attacks remains substantial. We have recorded 570 verified DDoS attacks targeting 140 different colleges and universities between January and the end of July this year.
New types of DDoS attack are being identified and the growing incidence of DDoS “as a service” means that potentially disruptive attacks are quick and simple to initiate. Indeed, cyber attacks against our sector are increasing in number and sophistication. As we’ve described, cyber criminals are quick to exploit changing social or economic conditions, such as the pandemic, and we must adapt and respond to keep ahead of that criminal curve.
The best way to do that is to make cyber security a strategic priority, with preventive measures anchored across organisations. In this way, security becomes everyone’s responsibility, with a mandate from the top.
I have forwarded this to the Working Group of the Council of Europe ETINED platform to ensure our draft Recommendation covers the issue.