Alumni fundraising spoofs target donors with personalized wire-transfer requests from trusted university identities. The fix is enforced DMARC across every university subdomain that has ever sent mail.
Universities are an unusually attractive target for email impersonation because the attacker's research surface is public, emotional, and financially meaningful. Donor names appear in annual reports. Development officers publish staff profiles. Alumni campaigns create a steady drumbeat of legitimate requests for money.
The email estate behind that fundraising work is usually more complicated than the public brand suggests. A university may have a central domain, faculty subdomains, alumni relations systems, school-specific campaigns, library tools, research centres, affiliated trusts, and class-year initiatives that all send mail under related identities.
Why universities have it harder
A corporate IT estate of comparable headcount might have four to ten email domains. A research university with the same number of mailboxes can easily have dozens. Departmental autonomy, grant-funded systems, regional campuses, foundations, and old campaign sites leave a long tail of domains and subdomains.
A representative university estate often includes:
giving.university.edu, owned by Development and connected to a legacy ESP.alumni.university.edu, owned by Alumni Relations and managed separately from Development.class-of-1997.university.edu, created by a class committee, last used years ago, still publishing an old SPF include.library.university.edu, sending reading-list notifications from a library platform.medicine.university.edu, split between Google Workspace and a legacy Exchange route.
Each one needs to be authenticated correctly. Each one can become a From address.
The development-office fraud pattern
A typical attack path is straightforward.
- Reconnaissance. The attacker checks the donor wall, annual report, or campaign microsite, then enriches a shortlist with public professional profiles.
- Spoof setup. They find a university subdomain at
p=none, or one with no DMARC record, and craft a message that appears to come from a dean, faculty leader, or development officer. - Pretext. The message offers a matching gift opportunity, a named fund, a planned building, or a deadline-bound pledge.
- Wire instructions. A controlled reply address or "donor liaison" moves the conversation to fraudulent banking details.
Security awareness training helps the internal team. It does not protect an external donor receiving an apparently legitimate email from a trusted university identity. Domain enforcement does.
What the fix looks like
Higher education DMARC rollouts are not technically exotic. The hard part is discovery and ownership.
- Development office sending domains and subdomains.
- Alumni relations platforms and campaign microsites.
- Faculty, school, and foundation identities used in fundraising.
- Dormant campaign domains that still resolve or publish mail records.
Publish aggregate DMARC reporting on the parent domain and include a subdomain policy. The reports will show which subdomains are still sending, which vendors they use, and which dormant names are being tested by attackers. For many universities, this is the first complete view of the real sending estate.
For active senders, onboard the source, align SPF or DKIM, and move from monitoring toward enforcement. For dormant subdomains, follow the same lockdown pattern used for parked acquired domains: explicit p=reject, null SPF, and no valid DKIM path.
The day-one quick win
If you can only do one thing, publish enforced DMARC on the subdomains the development office uses. Those are the spoof magnets. Once they are at p=reject, a forged message using that exact domain should be rejected before the donor sees it.
That is often a one-domain, one-DNS-change job. It is also the highest-leverage move in this vertical because the fraud pattern depends on the donor trusting the visible From identity.
What the dashboard should show
University teams need a view that matches how the institution operates:
- By department or faculty, so local administrators can own their slice.
- By active versus dormant, so non-sending domains can move quickly to lockdown.
- By spoof pressure, so the names attackers are testing rise to the top.
The spoof-pressure view is the one development officers understand fastest. It turns DMARC reporting into a practical warning signal for campaigns against donors, alumni, and faculty leaders.
A note on cost
Higher education budgets are tight, and the risk is concentrated in a few very visible workflows. We have historically discounted academic domains such as .edu, .ac.uk, .ac.za, and similar university namespaces. Email us if that is relevant.

