Date: Monday 19 November 2018
There have been numerous reports in the media this week of UK university students being subject to an influx of emails offering fake tax refunds. These emails are designed to phish for the recipient’s financial and personal information and have been found to use legitimate looking .ac.uk email addresses.
HMRC are encouraging universities to raise awareness of this fraudulent activity and have stated that email, text or voicemails will never be issued for the purpose of issuing such refunds.
Ravensbourne strongly advises that any UK domestic students who believe that they have been targeted by a financial phishing email should not click on any links and should report cases to HMRC directly by forwarding the emails to email@example.com or text to 60599.
Anyone who has lost money to such a phishing campaign should immediately contact Action Fraud, the details for which are provided on the Action Fraud Website.
International students and deposits
Please be aware that Ravensbourne only requires the payment of deposits at the unconditional offer holder stage when international applicants are requesting a Confirmation of Acceptance for Studies (CAS).
You will never be asked to pay any money to secure a place at Ravensbourne in any other circumstances.
What is phishing?
Phishing is a means of 'cyber attack' using social engineering, that typically takes the form of fraudulent emails designed to acquire sensitive or valuable information.
Phishing campaigns can often be customised to target specific individuals using official-looking information such as company logos and brand names. Such attacks are commonly referred to as 'Spear Phishing'.
What is the intention of phishing emails?
Phishing attacks typically engage the user through use of a message intended to solicit a specific response via an emotion or desire.
Common examples include:
- “Click Here to win a prize” (greed, excitement)
- “Click here to review your purchase” (confusion, curiosity)
- “There is an issue with your account” (concern, sense of urgency).
The primary goal of phishing emails is to trick the target into disclosing sensitive information.
This might include one or more of the following:
- Username and password information
- Financial information such as bank and credit card details
- National Insurance, Social Security or passport numbers
- Common security-related questions, like your mother’s maiden name, schools attended or date of birth.
Many people still use the same email address and passwords for many of their online accounts. If a fraudster steals this information, then they have the keys to your online identity. Always try to use different information and passwords when signing up to different online services.
How do I identify phishing emails?
There are generally some easy ways of identifying a fraudulent phishing email:
- The email will commonly be impersonal and not include your name. They will often start with the phrase 'Hello' or 'Dear Student'.
- The message content will generally be poorly written, frequently demonstrating bad grammar and typographic errors.
- The message may portray a sense of urgency in an attempt to force the recipient into an impulsive action.
- The email may provide payment instructions or details for a financial institution not used by Ravensbourne.
- The email may not be signed by an individual, instead using a generic name such as 'finance team' or 'admissions department'.
- The email may contain hyperlinks to a web site or other external web site that is not associated with Ravensbourne.
- It is possible to 'spoof' the name associated with the email account and while the email may appear to come from a member of ravensbourne staff at first glance the sender (From) address will not display an official @rave.ac.uk email address. For example, the sender email address might display @ravc.ac.uk, @ravesbourne.co.uk, @ravensbournes.co.uk or some derivative.
Remember, if something written in an email seems too good to be true, then it probably is.
What do I do if I receive a phishing email?
The following actions should be taken if you receive, or are made aware of a phishing email:
- Do not reply directly to any emails that you are suspicious of.
- Do not click on any links within the email. If you are using a computer, hover your mouse over any links in the body of the email. If the link address doesn't look like an official site address or is different to the text description, don’t click on it.
- Do not open any email attachments that you are unsure of. These may contain viruses or other malicious software designed to steal your personal information.
- If the email is impersonating Ravensbourne staff or the wider business, contact your manager/course leader in the first instance. While it may seem beneficial to forward these emails to other colleagues or teams, this may serve only to increase the likelihood of someone inadvertently disclosing information to the fraudsters.
- Most email services include a means of reporting suspected phishing emails. In google mail for example, this option is available using the drop-down arrow next to the 'reply' button.
- If you have identified a suspected phishing email, delete it.
It might seem like a good idea to respond to the email to let the fraudsters know that you are on to them - Do not! This only serves to confirm that your email address is real.
What do I do If I believe that I have responded to a phishing email?
- Immediately change any passwords that might have been disclosed or compromised.
- If you have accidentally clicked on a link within a phishing email, or sent information to a recipient that you have subsequently identified as being fraudulent, contact email firstname.lastname@example.org
- If you have disclosed financial information, contact your bank immediately and tell them that you have been the victim of an email scam. Do not wait to contact us before doing this.
Immediately contact Action Fraud whose contact details are available on the ActionFraud website.