While the idea of phishing is not new, a recent attempt masquerades as an offer for educational grants. The phishing emails target students from major universities. Per the BBC, one student at Queen Mary University London was duped out of £300. And, as any student can attest, £300 is not a small loss.
Designed to Resemble University Correspondence
The email appears to come from the finance department at the student’s university. The email even displays the university’s logo. The body of the email attempts to compel students to claim a government bursary. To claim the grant, students must complete online forms used to capture vital information.
The forms ask for information including various personal details and bank account information. It even redirects students to a bank verification page during the process.
No System Breaches Detected
Since the scam targets students at specific universities, concerns regarding a potential breach arose. At this time, there is no evidence of a breach or compromised system.
Multiple universities, including QMUL and the University of Glasgow, emailed students about the scam, providing details about how universities actually collect information of a sensitive nature. Further, universities included information about available cyber security training courses.
Why Phishing Scams Work
While not many fall victim to this phishing attempt, it is easy to understand how it happens. Students feel financial pressure on the primary payment dates in September, January, and April. This makes struggling students particularly vulnerable, especially if they fear falling short on the needed funds.
The fact that the emails appear official exacerbates the issue. Additionally, batches of emails are more common than a single one. The fact that a student may know other students who received the same email creates a false sense of security regarding its legitimacy.
How to Spot a Scam
A key indication that the email is a scam is poor grammar and improper spelling.
Most phishing attempts stress the need for a quick response. For example, using statements that only a certain number of applicants will receive funds. They also include very short deadlines as a way to coerce a person into responding.
In attempts like these, a link that must be clicked to complete the process is included. The link directs the targeted person to a website designed to capture pertinent details to access their account. At times, the sites contain logos that appear official, similar to those in the email, but a logo does not guarantee the institution runs the site.
The majority of these attempts are unsolicited, and originate from unexpected email addresses.
Suspect a Scam?
If you believe an email may be a scam, do not reply to the sender. Don’t click any links or open any attachments. Contact university finance departments directly through the phone number published by the University. They are aware of all outgoing correspondence, and will confirm if the information is correct. Do not call any phone numbers contained within the email, as they may also belong to scammers.