Several times a year, without fail, scammers start bombarding university students with barely convincing phishing emails in the weeks before the beginning of every term.
Timing is key: UK students expect to receive important emails from official bodies such as the Student Loans Company (SLC) and university finance departments in August, December and March are therefore seen as more vulnerable to being duped.
Sure enough, Action Fraud this week issued one of its periodic warnings that the con-merchants are at it again, this time a campaign that tries to trick students into believing their SLC account has been suspended due to “incomplete information”.
It hasn’t. of course, but anyone taken in by it will reach a phishing page designed to harvest their bank account details.
This isn’t a work of great phishing craft, but that doesn’t seem to matter: a few recipients will read the important-sounding subject line, register the bright blue hyperlinks embedded in the email, and click themselves headlong into a dangerous situation.
At least this time new and returning students are getting a heads-up about this campaign before it does damage. This hasn’t always been the case.
In 2011, a similar campaign around the SLC grabbed the bank logins for 1,300 students, running up £1.5m in losses for victims. By 2012, the official victim count for this type of student fraud had dropped to 831, followed by 162 in 2014.
So, things are getting better but clearly there are enough victims out there to make it worth continuing attacks into the future.
There’s plenty of advice worth handing out here, most of which sounds obvious: never log on to anything at the behest of an email, least of all one connected to finance, and double-check suspect requests through an institution’s customer help.
Anyone who spots a phishing email should forward it to phishing@slc.co.uk or report to Action Fraud, where it will be added to attack intelligence. The #StudentLoan Twitter hashtag is another good warning source.
Beyond that, turning on multi-factor authentication is a must because, in addition to being a good thing in itself, the lack of it is a warning sign when visiting important websites.
That it? Not quite.
We mentioned at the beginning of this piece that student phishing attacks depend on good timing but they also burn through one other fuel: email addresses. This sounds obvious but email addresses are central to targeted attacks.
It’s not clear where the phishing scammers got the cache of addresses used in the latest campaign (interestingly, some appear not to be students at all) but there could be an amalgam of sources including addresses guessed from university email domains, taken during academic breaches, or scraped or compromised from online services.
It follows, then, that guarding email addresses is an important defence, or at least being careful with which ones are used for which type of communication. This includes the email addresses handed to every new student by universities.
Starting a university course is a good moment for anyone lucky enough to experience it. But nobody should be under any illusion that it’s also the gateway to a life in crime’s line of fire. New students deserve to be reminded of this.
Laurence Marks
How hard would it be for ISP to filter for (“SLC” OR “Student Loan Company” in the message body) AND (sender_domainSLC.com.uk)? If they don’t do this, they should.
Sophos enterprise Email Gateways should also perform this filtering. IF they don’t, why not? If they do, there’s no problem to write about. For that matter, they could filter similarly using the name and domain of every large bank.
Paul Ducklin
Not quite sure what you mean, but I think you are saying, “If the email mentions XYZ Financial Institution but doesn’t officially come from XYZ Financial Institution, then it must be a scam to do with XYZ Financial Institution.”
Naively, that should work as a filter, but it does not – there are lots of good reasons for email from one company to mention explicitly the name of another. (Naked Security newsletters that refer to security news about company X will inevitably include X in the message body, for example.)