Students from universities across the UK have been and continue to be affected by an increase in fake tax rebate emails. Over the past two weeks, thousands of students have received emails from users with ‘.ac.uk’ email addresses, trying to get students to enter their bank details on phishing sites.
HM Revenue and Customs (HMRC) has publicly stated that it would never use email, SMS or voicemail for genuine refunds.
HMRC has had to request that 7,500 phishing sites be deactivated between April and September this year. This figure is up from 5,200 for the same period in 2017.
HMRC has also said that this is the largest scam seen specifically on students, as thousands of fraud reports have been received just in the last few weeks.
Mel Stride, the financial secretary to the Treasury, has said: “HMRC will never inform you about tax refunds by email, text or voicemail. If you receive one of these messages it is a scam. Do not click on any links in these messages, and forward them to HMRC’s phishing email address [email@example.com]”
“Although HMRC is cracking down hard on internet scams, criminals will stop at nothing to steal personal information. I’d encourage all students to become phishing aware – it could save you a lot of money.”, she added.
Pauline Smith, the director of Action Fraud, has urged students to remain cautious and aware of emails regarding tax and student loans: “Devious fraudsters will try every trick in the book to convince victims to hand over their personal information, often with devastating consequences. It is vital that students spot the signs of fraudulent emails to avoid falling victim by following HMRC’s advice.
In September 2017 a similar scam directed at students sent emails claiming to be from the student loan provider, the SLC.
An email circulated amongst university students directing them to a page to update their student loan account details, where their personal details could be harvested.
An email within Sussex was also circulated in January 2017, appearing to come from staff within the University offering a grant payment, which linked students to websites asking them for their bank details.
In terms of the current phishing email circulating, Sussex Direct has outlined how to identify phishing emails, and guides on being more aware of email scams. This included an instruction to beware of an email which conveys a sense of urgency: “Phishing messages often try to encourage you to make hasty decisions by making threats or creating a sense of worry. Messages sent on a Sunday morning with “24 HOURS TO RESPOND” in the message mean that you may think you only have a couple of hours to respond when you arrive on Monday morning.”
The guide also advises against clicking on ‘unsubscribe’ links at the bottom of emails, as this serves to confirm your email address is valid.
The phishing email has been reported to the University’s IT services. They advise to delete any email which asks for financial support in obtaining iTunes Gifts cards, and report malicious-looking emails to the IT Service Desk at firstname.lastname@example.org.
While many institutions across the UK have been affected, a number of universities have been asked to remain aware as they are at particularly high risk. This list includes Sussex, Bristol, KCL and UCL.