Scammers imitate Student Loans Company to obtain victims’ account details

More than £100,000 has been stolen from British scholars in a devious phishing attack by attackers posing as the government-funded Student Loans Company (SLC).

A Freedom of Information (FOI) request released today revealed that £108,205 has been illegally rerouted to offshore bank accounts since the beginning of the 2015 academic year up to December 2017.

The request, carried out by Cyber Risk Aware, uncovered a scam that saw attackers sending fake SLC emails to recipients.

After accessing their login details, the criminals – who have not been identified – changed the credentials and rerouted the money to their banks.

There were 72 successful attacks in total, while 463 attempts were blocked by the SLC’s Counter Fraud Services (CFS).

Cyber Risk Aware CEO Stephen Burke spoke to The Daily Swig about how the attackers pulled off the scam, and how more awareness is needed to stamp out cybercrime.

How is the money being stolen from students’ accounts?

Cybercriminals are crafting a very clever phishing email that basically says it’s from the Student Loans Company.

It says something like, ‘Your account has been suspended and we need you to go to this website to enter in your details and confirm everything’.

They put in their name and passwords, and the criminals can then access their account and change the bank details so that the money is wired directly into the bank account of the cybercriminals.

What is different about this attack?

Cybercriminals have moved away from having attachments in emails. They’ve moved more towards having links in websites.

The victims might have some security software that may strip an attachment from an email, but they can’t strip a link.

It’s a great way of doing it, actually, because people are fearful of not getting the money that they need, and after going through a long and arduous loan process I’m sure that the last thing they want is any hassle.

These people then knowingly go onto a website and enter their details when they should really be saying, ‘This doesn’t make sense, I’ve been told numerous times never to enter details’.

Yet people do, and it just confirms yet again that colleges and the Student Loan Company need to do a better job at helping people to become more aware.

Is there any way to trace the attackers?

That’s extremely difficult – law enforcement is even struggling to identify what’s going on.

I know the City of London Police are aware, but we’re dealing with the highly anonymized world of cybercriminal activity where they’re using an encrypted network, such as Tor.

They’ll use that to make them look like they’re in Ukraine, for example, when they might be in North Korea.

So in order to backtrack and record where it’s coming from, it’s very difficult.

One might argue that they can track the criminals through the bank details that have been registered on the account.

But they’re all temporary bank accounts in other jurisdictions that are not that easy to gain access to.

In some cases the fraud services team was able to put a hold on the money, but in other cases it was too late.

Why were the 72 successful attempts not able to be stopped?

It’s basically one of these things that, unless you’re aware of it in advance, it kind of has to happen and then there are lessons and you’re able to update afterwards.

This is why technical defences alone don’t work – if it’s the first time you’re seeing it, you can’t stop it.

So in this case when the fraud services team noticed it happening, they updated their systems.

Why do you think students are being targeted?

Every demographic in society is being targeted. Cybercriminals are targeting people, not systems.

They’re looking for the weakest links, such as those who are lacking in awareness, and in this case it’s young people.

For younger folks they know that banks and loan companies are going to rebate money that has been lost. In a world where that happens, they’re becoming blasé.

They’re thinking, ‘It’s just a phishing email and I’ve just lost money, but the bank will reimburse me’.

So they’re desensitized to the impact.

What advice would you give to help prevent users from becoming a victim?

I think my advice would be to stop and think before you click.

If you get a message asking you to go to a website and enter any sensitive data whatsoever or wire money to a bank account – anything to do with bank accounts or usernames or passwords – do not do anything.

No legitimate organization is going to do that. If it doesn’t make sense, pick up the phone and call someone.