According to a DMARC analysis by Proofpoint, American businesses have some of the worst defenses against spoofing and don’t have defenses against fake emails.

Scientists have shown that top U.S. institutions are among the worst in the world at protecting customers from email fraud, skipping security measures to avoid common risk techniques such area spoofing or other types of fraudulent emails.

According to a new study from Proofpoint released on Tuesday, 97 percent of the top 10 colleges in the US, the UK, and Australia expose students, staff, and administration to higher risks of email-based impersonation and other attacks because their systems lack basic protection. Additionally, according to experts, American businesses are the worst offenders overall, having some of the weakest levels of cybersecurity protection.

According to Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, the revelation is alarming, especially as email remains the most common vector for security vulnerabilities across all industries. He added that during the past few years, cyber attacks on colleges have increased in frequency, sophistication, and cost.

The combination of these factors, according to Kalember, “makes it especially relating to that the top colleges in the United States are currently the most exposed to assault.”

Undoubtedly, more than any other industry outside of healthcare, universities and other institutions of higher education maintain “masses of sensitive personal and financial information,” he said. Sadly, this makes them a top target for hackers who currently have an easy way to attack them thanks to a lack of email security, he said.

Lacking in Email Defense

Proofpoint appeared in numerous American universities, including Columbia, Harvard, Princeton, Yale, and Stanford; the Universities of California at Berkeley and Los Angeles; the College of Pennsylvania; the Massachusetts Institute of Technology; and New York College.

In order to make their assessment, scientists used DMARC (Domain-based Concept Authentication, Reporting, and Conformance) analysis of these universities as well as the top 10 in the UK and Australia.

Researchers noted that DMARC is an email validation mechanism designed to protect domain names from being exploited by fraudsters by validating the sender’s identity prior to sending a message to its intended destination. This misuse can take the form of hackers mimicking a legitimate entity by “spoofing” its area, which tricks the recipient of an email into believing it is from a reputable source when it isn’t.

The first level of DMARC’s three defenses—monitor, quarantine, and reject—is the safest for stopping questionable emails from reaching the inbox. The greatest colleges in the United States and the United Kingdom did not have a Reject plan in place, according to Proofpoint, leaving users of their email systems vulnerable to email fraud.

While 13 out of 20 of the top colleges in the United States and the United Kingdom did have a basic level of DMARC security to both verify and quarantine emails, scientists discovered that 5 of the top 10 universities in the United States did not publish any level of DMARC document.

In particular, they noted that just 2 of the 20 institutions investigated in the United States and the United Kingdom have a quarantine policy in place, compared to 11 of the 20. According to Proofpoint, out of the 30 institutions examined, 17 of them (57 percent) implemented at least a Watch policy, while 4 of them (13 percent) had at least a Quarantine plan.

Universities in the Crosshairs

The security of educational facilities has rarely been at the cutting edge, and new protocols implemented during the COVID-19 epidemic, such as remote classes performed over the Zoom video system, have only made matters worse.

Cyberattacks against universities will undoubtedly increase as a result of this new move to remote learning and the implementation of hybrid courses that combine in-person and online instruction, according to scientists. According to Proofpoint, socially engineered damaging emails are low-hanging fruit for cybercriminals because there is no barrier that prevents these suspicious emails from reaching the inbox of unknowing victims.

Additionally, email can serve as a gateway for much riskier attacks. Ransomware, which has been a big pain in the side of colleges in recent years, is one type of attack that can start as an email-similar breach. In fact, a 157-year-old college in Illinois, Lincoln College, recently closed its doors as a result of the pandemic’s pressures combined with a ransomware attack that brought it to its breaking point.

One major issue that Proofpoint identified in its most recent Voice of the CISO report is that CIOs in the education and learning sector feel underappreciated by their respective companies because they lack the guidance to implement security measures that could protect the establishments from common threats like malicious e-mail, according to Kalember.

Users will continue to be exposed to risks that can be easily avoided without this aid going forward—and without using DMARC protections that can stop damaging e-mail before it even reaches a person’s inbox, he reported.

People are a crucial line of defense against email fraud, yet they continue to be one of the biggest weaknesses for businesses, according to Kalember. A malicious email cannot reach your inbox when fully compliant with DMARC, eliminating the possibility of human influence.