More than £100,000 in student loans stolen by phishing email scammers

More than 70 students had their university funds redirected by scammers in just 15 months

More than £100,000 has been stolen from university students via phishing attacks in just over 15 months, according to a Freedom of Information (FOI) request to the Student Loan Company (SLC).

The request, carried out by cyber security awareness education provider Cyber Risk Aware, found that £108,205 had been taken away from students since the beginning of the 2015 academic year up to December 2017.

In total, 72 students had funds redirected as a result of being tricked by phishing emails into handing over the details of their accounts with the SLC. The scammers then used this information to impersonate the students and to redirect the funds.

This has led to warnings by Action Fraud, a fraud investigation unit set up by the City of London Police, that new and current university students are being targeted by scammers in the phishing email sting.

The message claims that the student's account with the Student Loans Company (SLC) has been suspended and that details must be updated. However, the link provided in the phishing email leads to a counterfeit site that captures the students' authentication details.

SLC claimed that it had improved its ability to detect fraudulent interactions and can now identify these at an earlier stage

Students are a particular target for phishing emails from hackers attempting to steal their money; phishing emails can be very convincing and fraudsters know exactly how to lure students into sharing personal details," said Stephen Burke, Founder of Cyber Risk Aware.

"But it's not just emails where students need to be vigilant; attackers are also smart in creating ‘friendships' and fake events, asking for personal and financial details whilst playing on a person's ‘fear of missing out'."

The FOI request also revealed that the SLC's counter-fraud services department had prevented a further 463 attacks over the same period, in which financial losses could have totalled £785,718.

SLC claimed that it had improved its ability to detect fraudulent interactions and can now identify these at an earlier stage.

"This means we can take action as payment dates approach, preventing fraudsters from making changes to a student's account," it said.

Burke advised students to be cautious around emails requesting any personal or financial information

Cyber Risk Aware's Stephen Burke advised students to be cautious around emails requesting any personal or financial information - good advice for anyone - and suggested universities that did not run cyber awareness campaigns should begin to do so. This would help students to identify phishing emails rather than having to solely rely on technical defences.

"Until such practice becomes mainstream across the board, students should treat any emails requesting personal details with suspicion," he said.

"Phishing emails contain indicators such as unknown sender origin and offers which are just too good to be true, whilst often pertaining to be from a recognised company or brand. Anyone receiving a suspicious email should report it to their university or company IT administrator and delete it," he added.