PhishNet

Learning from the recent Deakin University Smishing Attack

Deakin Uni Smishing Attack

Australia’s tertiary sector is no stranger to big cyber attacks, with a recent incident marking the third major university breach in the last three years.  The most recent incident, a SMS phishing assault impacted nearly 47,000 Deakin University students, both present and former.

The incident demonstrates that even the best-prepared institutions can become the victim of unscrupulous threat actors and the importance of cybersecurity awareness in general.

The Deakin breach occurred after a single staff member’s credentials were obtained. This allowed an unauthorised user to access a bulk-SMS messaging service used to convey results and other data to students. Days after the incident, university technical employees described the breach.

On Sunday 10 July, Deakin University became aware of an incident in which a staff member’s username and password were hacked and used by an unauthorised person to access information held by a third-party provider.

The 46,980 student details in the database, including name, ID, mobile number, email address, and special comments, including most recent unit scores, appear to have been obtained in its entirety by this cybercriminal.

Subsequently, a smishing assault was deployed, sending an SMS message to 9,997 students alleging that they owed customs duties on a package. Students were directed to a page that requested personal information, including credit card numbers, when they clicked the link in the SMS.

The attack is significant not only because of the number of students it affected, but because only one staff member’s credentials were compromised. A single vector, single person attack resulted in a return of 46,980 records.

Deakin stated that they will continue to take an “educative and proactive approach to cybersecurity and continue to strengthen their systems to prevent future incidents”.

This incident is an invaluable lesson for business owners and highlights the importance of improving cybersecurity awareness to minimise the possibility of such a breach.

Here are five tips to improve cybersecurity awareness in your business: 

  1. Adopt a cybersecurity aware culture.
  2. Provide staff with regular cybersecurity awareness training.
  3. Implement and measure risk reduction with phishing simulations.
  4. Implement robust cybersecurity policies and procedures.
  5. Take advantage of the Australian Government’s Small Business Skills and Training Boost.

Interested in finding out how to improve your cybersecurity awareness? Book a complimentary 15 min discovery session with Mark.

About PhishNet

PhishNet trains people to recognise everyday scams and cyber threats through our Cyber Security Awareness Training platform. With clear measurable results, orgnaisations can meet compliance requirements and proactively reduce the risk of cyber incidents. Talk to us about how awareness training can help protect your people and business.