The cybercrime almanac reads like a sociopathic version of the regular calendar.
Another attractive time of year for social engineers starts around August, at least in the Northern hemipshere, and targets students in higher education.
To older readers who attended university before the internet era this may sound a bit odd – aren’t students too hard up to be valuable?
In fact, students are perfectly inviting targets. They may be rookie users of online bank accounts, and in some countries they end up with substantial sums of money at the start of each semester – for some of them, the first time in their lives that they have a lump sum on tap.
So it’s not surprising that the crooks hit them at the beginning of the academic year, when those accounts are full.
Phishing and worse
Student attacks can start from the moment young people try borrow money for their studies. One infamous example happened in the UK in August 2011 when phishing scammers impersonated the Student Loans company to harvest the online bank logins of at least 1300 students.
Within weeks, losses ran to £1.3 million ($2.3 million in 2011) before the ringleaders were caught, with one student being fleeced of £19,000.
More recently, in 2016, the UK Department of Education warned of a convincing-looking phishing campaign impersonating numerous university finance departments as a ruse to steal online bank logins and other personal details.
Ransomware and extortion
For students carrying precious research and essay data around on laptops, with strict deadlines for handing it in, ransomware is a worry that needs to be taken very seriously. (Remember that ransomware can also target external drives and data shares and even online cloud synchronisation services such as Google and Dropbox.)
Making regular offline backups are now a must-have insurance policy. And while you’re there, make sure you encrypt the backup so it cannot fall into the wrong hands.
You can find more tips on how to stay protected against ransomware in this Sophos whitepaper.
Open Wi-Fi ‘notspots’
Unencrypted Wi-Fi hotspots are another potential woe for students. Telling genuine hotspots from bogus ones can be difficult, and even legitimate ones can be sniffed by local cybercriminals in the vicinity as a way of setting up man-in-the-middle attacks or data theft.
The spread of web services that use encrypted HTTPS connections (that padlock in the browser’s address bar) has helped reduce the risk but the most reliable protection is to use a Virtual Private Network (VPN) service that creates its own secure tunnel for traffic.
Unsecured web accounts
Gmail, Dropbox, Amazon, PayPal, Facebook, Twitter: students are avid users of social media and cloud services.
Unfortunately, as speed and convenience wins out, too many ignore basic security measures. Passwords are weak or used over and over on multiple accounts, and security mechanisms that can raise the barrier for attackers are not activated.
Cybercriminals target popular online services with phishing emails, so even a single successful compromise could cause mayhem.
Defending email accounts – the principal mechanism through which people often have to authenticate themselves – is absolutely critical.
The best defense is to use two-factor authentication (2FA), also called two-step verification. This requires users to enter a one-time passcode, delivered by SMS or calculated by a special app code.
This means that even if attackers know an account password, they won’t be able to provide the second factor and will therefore be kept out.
Guarding those shiny possessions
It’s easy to forget that thieves attack computers offline as well as online. Criminals know that new students buy shiny new computers around the start of the academic year.
All the criminals have to do then is use Google Maps to find known dormitories and wait for an opportune moment for old-fashioned burglary. Don’t make things easy for them…
- Turn on two-factor authentication for all online accounts that you can – it takes seconds and costs nothing.
- If regularly using open Wi-Fi hotspots, consider using a personal VPN.
- Remember to protect mobiles as well as laptops.
- When it comes to backup protection against ransomware, remember offline storage is the most secure option.
- Make sure you take your real life security seriously too! Don’t leave your Macbook Air, Android, or any other device unattended, and encrypt everything you can!