Skip to content
Phishing and social engineering in higher education

Phishing and Social Engineering: A Guide To Protect Higher Education

Phishing and social engineering are deemed to be common cyber threats; however, they are now becoming more popular among the education sector, especially higher education. How can you protect against them?

Contents

Introduction

Phishing and social engineering are deemed to be common cyber threats; however, they are now becoming more popular among the education sector, especially colleges and universities. 

As many of our educational institutions become more digitally reliant on storing sensitive data in the cloud, they have become frequent targets for cybercriminals. 

Hence, your institution needs to be informed about such cyberattacks to safeguard and improve its academic community’s security.

What is Social Engineering and Phishing? 

If you’ve never heard of these terms before, then don’t worry because this blog is all about informing and educating.

You may want to grab a drink.

Things are about to get interesting…

So, what is social engineering? Social engineering refers to using psychology to manipulate individuals into giving their personal (sensitive) information by building fake relationships.

For example, pretending to be your college’s IT support staff or a classmate to get you to click on a dangerous link to share your private information.

These attacks are getting smarter. Some phishing emails now look perfect, with no spelling mistakes or strange logos, making them very hard to spot.

Yes, I mentioned phishing, but what is it?

It’s very similar, but the only difference is that this is usually done through emails and messages that look real but aren’t. So, if you see an email or message that looks even a bit suspicious, be wary of what you click on.

Phishing and Its Approaches

It’s time to go fishing into phishing… 

The rise of phishing is unparalleled, with an estimated 3.4 billion phishing emails sent per day by cybercriminals, and they look exactly as they are supposed to – scary?

Ever wondered what the main cause of this is? It’s human error.

Human error remains the weakest link, with 75% of data breaches being caused by human error. Yes, that’s a big number, but it can be decreased with the right approach and education. 

Many cyber criminals mimic trusted websites by using their tone of voice to write phishing emails and messages. But there are more ways:

  • Email Phishing: This is when attackers send fake emails, often suggesting they are an important official. These emails look legitimate, and 80% of individuals are tricked into revealing their sensitive information to such cyber criminals.
  • Spear Phishing: Known as the niche of phishing. This is when specific individuals are targeted by using information gathered from social media. Attackers tend to customise messages that target an individual’s aspirations, which they may have posted on Instagram or TikTok. 

I guess you need to be careful of what you post on these platforms, as you never know who’s watching.

  • Smishing: Also known as ‘SMS phishing.’ This is when attackers attempt phishing through text messages. A clever tactic, as users place large amounts of trust in mobile communication. One wrong text and all your data is revealed!
  • Vishing: This is formally known as voice phishing, where attackers use voice messages to trick individuals into revealing their personal information over the phone. Now, with AI, it’s likely to be an effective method of phishing as voices are easily cloned by various AI tools.

What to Spot in Phishing?

Suspicious Email Address or Sender Name

 

  • The email may look like it’s from your school or a trusted company, but the email address is off.
  • Example: admin@university-secure.com – instead of your actual university’s domain.
  • Always pause before you respond, and always verify first.

Generic Greeting

Phishing messages often say things like:

  • “Dear User,”
  • “Dear Student,”
  • “Hello Customer”

Legitimate institutions usually use your real name.

 Urgent or Threatening Language

Phrases like:

  • “Your account will be deactivated!”
  • “Act now or lose access!”
  • “You must verify immediately!”

These are meant to scare you into acting fast without thinking.

Spelling or Grammar Mistakes

  • Poorly written messages are a red flag. Professional organisations, especially educational institutions, rarely send messages with sloppy grammar or misspellings.

Strange or Unexpected Attachments

  • Be very cautious with attachments, especially ZIP files, Word documents, or PDFs that you didn’t expect to receive.

Weird Links and Attachments

  • Hover over the link before clicking. Does it lead somewhere unexpected?
  • A link might say “www.youruniversity.edu” but actually go to something like www.free-prizes.ru/login.

Requests for Sensitive Information

  • No legitimate institution will ask for: your password or your bank details

Unusual Timing

  • An email from your university’s IT team at 3 AM? That’s probably not right.

Too Good to Be True

  • “You’ve won a gift card!”
  • “Free laptop for students!”
  • These are classic bait tactics.

  Websites That Look Like Your College or University

  • Fake login pages that look real. They copy the style of a university login page or a cloud storage service (like Google Drive or OneDrive) to trick you into typing your credentials.

What To Do If You Suspect a Phishing Attempt

  • Don’t click on anything: no links, no attachments.  Cybercriminals tend to use files and links to install malware into your system, so always be cautious!
  • Don’t reply to the message.
  • Take a screenshot or forward it to your IT/security department.
  • Delete it only after reporting it.

How Can You Prevent Social Engineering 

It’s a hard one to cover. But it has to be done.

We all know defending against social engineering is not easy, but it all starts with your institution. A place of education. A place of information. A place of growth. And finally, a place of dreams!

Those dreams that cybercriminals aim to shatter, so why let them?

Thus, your institution should be conducting regular phishing and social engineering awareness programs that educate faculty, students and staff about the danger of such attacks occurring. 

Knowing different phishing types, social engineering tactics and knowing what to do are all important factors in reducing human error and phishing attacks from being successful.

Set your education institution up for success by setting targets like participating in cybersecurity courses, workshops and events which go over the basics, such as social engineering tactics, setting up strong passwords, how to protect your information online and keeping systems updated.

Even if you accidentally give away your password, Multi-Factor Authentication (like a text code or app prompt) can stop hackers from logging in. Enable MFA wherever possible, such as on your university account, email, social media, and cloud storage.

For students, create a society or an event where these issues are discussed monthly and what actions should be taken. Together, we can stop these cyberattacks from damaging our people and educational institutions.

Final Thoughts: Remain Calm and Vigilant 

Phishing and social engineering attacks are sneaky and can catch anyone off guard. But with a little caution and the right habits, you can stay protected.

Always think before you click, use strong passwords, turn on MFA, and report anything that feels wrong.

Just remember, phishing and social engineering are about manipulation, not malware. That’s why your best defence isn’t software, it’s awareness!

If something feels off, just trust your gut.

Ask yourself:

  • Is this message trying to scare me into acting fast?
  • Is the sender who they claim to be?
  • Am I being asked to share something I normally wouldn’t?

If the answer is “yes”, pause, verify, and protect your info.

The more we learn and share, the safer we all become.

References

IBM. (2024, June 10). Smishing. Ibm.com. https://www.ibm.com/think/topics/smishing 

Kaspersky. (2018, April 24). What Is Vishing? Www.kaspersky.com.  https://www.kaspersky.com/resource-center/definitions/vishing 

Nelnet Campus Commerce. (2023, October 4). Protecting Higher Ed: A Guide to Phishing & Social Engineering Awareness – Campus Commerce. Campus Commerce. https://campuscommerce.com/phishing-social-engineering-awareness/ 

Proofpoint. (2016, September 8). Phishing – What It Is, Emails & Attacks. Proofpoint. https://www.proofpoint.com/us/threat-reference/phishing 

Trevino, A. (2023, September 5). Are Phishing and Social Engineering the Same? Keeper Security Blog – Cybersecurity News & Product Updates. https://www.keepersecurity.com/blog/2023/09/05/are-phishing-and-social-engineering-the-same/ 

Verizon. (2025). 2025 Data Breach Investigations Report. Verizon Business. https://www.verizon.com/business/resources/reports/dbir/ 

Internal Links:

https://www.forti.fi/blog/passwords-passwords-passwords/ 

https://www.forti.fi/blog/losing-the-keys-to-the-kingdom/ 

 

Recent posts

Understanding The Digital Operational Resilience Act (DORA) For Financial Compliance

Read more

The Growing Threat of AI-Powered Cyber Attacks in Industrial Systems

Read more

Red Team vs Blue Team: How Operational Technology (OT) Organisations Can Strengthen Cyber Defences

Read more

Penetration Testing as a Service (PTaaS) in Operational Technology (OT): Securing Critical Infrastructure

Read more