Student scammers and how to stop them

“Students have always served as a favourite target for phishing scams – perhaps due to the combination of just setting out into the world while armed with a sizeable student loan in their bank accounts”

The rise in sophisticated cybercrime means a growing number of students are falling victim to malicious email scams, writes Agari field CTO, John Wilson. But are educational institutions doing all they can to protect their students from becoming targets? 

The beginning of a new academic year means millions of students are just starting their journey into higher education. It’s a time that should represent unlimited horizons and discovery for students and educators alike. Unfortunately, thanks to the growing number of cyber criminals around the world, the new academic year also means a fresh crop of unwary victims and the opportunity for a bumper payday in stolen funds.

Email phishing scams – where the criminal tricks their victim into giving up personal information through a fraudulent email – is a growing problem that even sophisticated businesses are struggling to defend against. These emails will usually impersonate a trusted identity, such as a well-known brand, public authority or even a personal contact, to trick their target into opening them.

“The more seasoned criminals will take pains to ensure their emails are indistinguishable from the real thing”

One of the most popular tricks is to send the victim a link to a web form asking them to provide their personal and financial details under the guise of updating or verifying an account, or perhaps to receive a refund or prize. The most sophisticated phishing attacks are visually identical to real emails and websites and leave the victim with little clue they have been duped – until their bank account takes a hit.

Students have always served as a favourite target for these scams – perhaps due to the combination of just setting out into the world, while also armed with a sizeable student loan in their bank accounts. First-year students are particularly vulnerable to attacks impersonating their university or loan authority, as they will still be unfamiliar with how they operate and less likely to spot warning signs. Because so many students are starting university at the same time, cybercriminals can send out broad, untargeted phishing campaigns to huge databases and be confident they will reach a large number of victims.

One popular tactic I’ve encountered is for the scammers to impersonate the bursar’s office and send an email to students on where to wire their tuition or housing fees. If they hit enough .edu and .ac.uk addresses they are likely to fool several victims before the university discovers it out and tries to warn its students.

“First year students are particularly vulnerable to attacks impersonating their university or loan authority, as they will still be unfamiliar with how they operate and less likely to spot warning signs”

Universities and loan authorities should both be taking steps to help to protect their students from fraudsters impersonating their trusted identities. Providing guidance on ways to spot fake emails, such as the advice issued by Action Fraud, is an easy step that all organisations can take.

However, they should also be aware that more seasoned criminals will take pains to ensure their emails are indistinguishable from the real thing, including spoofing the email address of the university or loans body. These highly sophisticated emails can fool even the most cautious students. More significantly, they are able to fool the common signature-based email security filters commonly used to prevent malicious and spam emails.

“The most sophisticated phishing attacks are visually identical to real emails and websites and leave the victim with little clue they have been duped – until their bank account takes a hit”

Universities and loan organisations can help to tackle these advanced email scams by preventing fraudsters from spoofing their email domains. DMARC is an open source email authentication standard that will reject unauthorised messages using the domain, preventing them from ever being delivered. The UK government made it mandatory for all .gov email domains to adopt the standard at the end of last year, and test cases have delivered powerful results so far; HMRC was able to block more than 300 million malicious emails from reaching targets using its email domain in 2016 alone.

Agari urges all organisations to begin adopting DMARC and other email security measures to deny criminals the ability to use their trusted brand as a weapon against students.