Phishers are targeting UK student loan applicants in a new scam campaign. Fraudulent emails, posing as messages from Directgov UK, attempt to trick recipients into handing over online account information and other personal data to fraudsters under the guise of a supposed account update. "We at HM Government noticed your Student …
"Sadly victims may not notice grammatical error"
And even if they do they will probably assume that government standards in communication have slipped (even more).
Maybe it's a test?
If you're enough of a mug to fall for this then you're not deserving of your uni place!
I think the days of making the natural assumption that we non-muggles are somehow immune from phishing are over (let alone art students for goodness sake!)
Ok, sure, 99% of the time it's easily spotted, but I have seen examples that could fool anyone, and have, including god-like bofh's. In fact, assuming that we will always spot one probably contributes to the error rate when presented with a well constructed phish, and most especially when we are in a hurry.
There's only one rule:never follow a link in an email. Can you honestly say you never have?
"There's only one rule:never follow a link in an email. Can you honestly say you never have?"
Nah, the rule is 'check the link on the email. "www.ozelfindikkurdu.com/indexq.html" (don't be a twat and use it)
I got one of these a couple of weeks ago and it does look convincing - though the "To aid a prompt release and approval of your loan, please re-confirm your account details promptly.
You can do this by clicking this link now. " is a bit of a giveaway.
It'd be nice to know where they got my email address from - something out there is leaking like a sieve and it ain't me.
What natural assumption?
Nobody is assuming that students are somehow intelligent enough to detect phishes at will. What is the point is that if you don't have a sufficient grasp of English to know the proper usage of "is" and "are", then you should not be going to university in the UK.
(NB: this doesn't automatically exclude foreign students, as many of them speak English better than our own students do these days. Which is not surprising, as under their inferior education systems they actually have to learn subjects to an acceptable standard to get a passing grade.)
Re: One rule?
"Nah, the rule is 'check the link on the email. "www.ozelfindikkurdu.com/indexq.html" (don't be a twat and use it)"
tinyurl anyone? It's pretty common for emails to use this (or similar) features making the URL less of a giveaway than once it was. Some of the phishers also manage to get hold of some reasonably convincing domains, especially in light of the fact that many organisations now use a *different* domain for their customers making it less than clear if you're dealing with a phishing attack or not.
The rule most definitely is never click on a link in an email. If you know who it's supposedly from you type in their website addr into the addr bar. if not, meh - it's just an electronic flier. Bin it like you would a paper one. Clicking on links you *think* are legit opens you up to a whole lot of risk. Unless you're perfect.
I've seen 2 variants of this email go through our mail server so far (we handle student accommodation) and there's several things to note:
1. These are highly targetted emails, not your usual phishing spam. Somehow they are getting the email addresses for the students. As we're a student service provider we're also seeing them.
2. With the exception of a couple minor errors these are quite believable, more so given the complete cockups of the last few years by the student loans company.
It's interesting to see that the Government email asks you to download a file, it suggests more than one phishing group invloved as the previous emails I've seen ask the student to click a link. The link looks like a genuine student loans company link until you click on it.
Joking aside about the intelligence of the people falling for this scam, but these are mainly 18 year olds without the years of experience dealing with scams that we have. They need this money in order to live and pay rent. They fall for this scam and it can result in the student having to drop out of University, owing not only the student loan company for the money that has been stolen from them but also their rent for the accommodation they were staying in. That's a hell of a lot of money for someone who now has no chance of paying it back. If they're UK based the chances are their parents signed as guarantor for them as well, that means their parents will also be chased for money. This isn't as simple as someone being a little stupid and losing a few quid, this is a crime that potentially destroys an entire family's financial security.
Not that targeted
"1. These are highly targetted emails, not your usual phishing spam. Somehow they are getting the email addresses for the students. As we're a student service provider we're also seeing them."
I've got a few of these emails and they're not to any address that has been near student finance. They go to an address I used with an online retailer once that now receives a lot of spam.
I use a new email address for each company I deal with so I can see where the spam comes from.
Have all financial institutions make it abundantly clear that they will NEVER, EVER contact their clients by e-mail; and that any e-mail communication purporting to be from them is false.
Have them what?
The financial institutions I deal with have only just started to learn about secure logins, and still send me emails with links in them. Now they want my mobile phone number, which they regard as a secure back-channel for sending a code to confirm transactions. I don't think you will ever get these people to agree to ALL do any sensible thing.
Anyway, would it be sensible for them to eschew email entirely? Sign up for an Amazon credit card, and you won't get paper bills. It's not an option- a condition of the service is that it is all online. So without an email from them, you won't know that they are awaiting payment (unless you are very organised). One of my banks doesn't send paper statements, again a condition of service. They email me every month to remind me that a statement is ready for download.
Stop hotlinking graphics
I find it amazing how many financial phishing emails we stop that have their embedded graphics and logos directly from the organisation's web site. Simple expedient of preventing hot linking would help.
Also government departments are guilty of doing this too.
This isn't the first time...
...that phishers have attacked the student loan company, as I (not a student) have received random emails of this sort for some time. Its time the student loan company set up the standard 'phishing' mailbox to receive reports of these attacks, as the only mailbox that I could find on their web site was 'firstname.lastname@example.org'.
Should be a tipoff
When the phishing operation is called "Sadly".
- Bugger the jetpack, where's my 21st-century Psion?
- Something for the Weekend, Sir? Why can’t I walk past Maplin without buying stuff I don’t need?
- Review 'Mommy got me an UltraVibe Pleasure 2000 for Xmas!' South Park: Stick of Truth
- The land of Milk and Sammy: Free music app touted by Samsung
- Privacy warriors lob sueball at Facebook buyout of WhatsApp