Students at several major UK universities have been targeted by 'phishing' emails which claim to offer them a Government bursary - and some have lost £100s as a result. As students get ready for the new academic year, here's what to watch out for.
Queen Mary University of London students were hit by the scam last week, MoneySavingExpert.com has learned, while the University of Glasgow has said it's aware of similar emails and according to a student news site the University of Manchester was also affected back in April.
Earlier this year crime reporting centre Action Fraud issuing a national warning about this type of scam, which tends to follow the same format - though it's not known whether the same fraudsters are to blame for all the emails.
While the precise format varies, the emails typically claim to be from the university's finance department and trick the recipient into clicking on a link to an online form and entering their personal and banking details (such as debit card info), National Insurance and driver's licence numbers.
Some are then taken to a further form which persuades them to enter online banking login information such as passwords and memorable words.
The online forms often look particularly convincing because they use the official logo and font of the student's university and bank. And once a student submits their details, fraudsters are able to raid their bank account - often within a couple of minutes.
'This scam is really easy to fall for'
MoneySaver Louise, who didn't want to be fully identified, said her daughter Ella, a student at Queen Mary, received one of the scam emails last week.
Because Ella already receives a bursary the email didn't seem out of the ordinary at first, so she clicked on the link and filled in the form.
After submitting it she was taken to a fake bank 'verification' page with the logo of her bank HSBC. She entered her online banking log-in details, including password and memorable word, but immediately became suspicious. But by then it was too late.
When Ella checked her bank account she found fraudsters had already removed £300, leaving her in her overdraft. HSBC told her a fraudster had phoned up and used her details and memorable information to make the transfer.
Thankfully the bank promptly refunded the money and issued her with a new debit card, but mum Louise said her daughter had the hassle of "a lot of phone calls to make to the police, credit checking agencies, the DVLA and HMRC, and it still doesn't mean that she's safe from identity fraud."
Louise added: "This is the time of year when students like my daughter are getting their finance awards, so this scam is really easy to fall for."
Ella says her housemate was another a victim of the scam and also lost money, though Queen Mary wasn't able to confirm the total number of students affected.
How this kind of scam works
Fraudsters often set up email addresses which look very similar to a university's legitimate address, so the email looks genuine and students are duped by it.
And if conmen know a university's domain name (for example, gla.ac.uk for the University of Glasgow) and the usual format of its email addresses (e.g firstname.surname) it's then a relatively simple matter for them to email real students' accounts, even without having access to the university's email database.
Action Fraud says there are special software programmes which generate email addresses using this format information plus combinations of common first and surnames. Many of those email addresses won't actually exist, but some of them will - and those students will receive the spam email.
Here's what these sorts of emails typically look like:
What to watch out for
Action Fraud says the following:
- Do not click on any links or open attachments contained within unsolicited emails.
- Do not reply to scam emails or contact the senders in any way.
- If an email appears to have come from a person or organisation you know of but the message is unexpected or unusual, contact them directly via another method to confirm that they sent you the email.
- If you receive an email which asks you to log in to an online account via a link provided in the email, don't click on that link. Instead, you should open your browser and go directly to the organisation’s website yourself.
- If you have clicked on a link in the email, don't enter any information on the website that may open.
- If you think you may have compromised the safety of your bank details and/or have lost money due to fraudulent misuse of your cards, you should immediately contact your bank, and report it to Action Fraud.
See our Stop Scams guide for more on how to protect yourself online.
What do the universities say?
A Queen Mary University of London (QMUL) spokesperson said: "We were made aware late last week that a number of QMUL students had received these phishing emails.
"QMUL proactively monitors its systems to prevent and detect breaches, and there is no evidence to suggest any system has been compromised in this instance.
"A message was sent to all students warning them about the scam and providing them with advice on how they can protect themselves online. Our student-focused websites are displaying a message about phishing emails, along with details of further support we can offer, including a cyber security training course which is available to all staff and students. We are investigating locally, and have not informed the police."
A spokesperson for the University of Glasgow said it was investigating and added: "As soon as we became aware of this scam we advised students to ignore the email. The university would never ask for personal banking information in this way and we urge all of our students to exercise caution when online."