My daughter is in her first year at uni and it seems that her student loan payment of approx £1500 has been hacked and sent to a fraudsters account.
Apparently she had a call a month or so ago which came up as "Student Loans Company" on her iPhone. The caller knew her name and where she was studying and asked her to verify her bank account details and email address.
She is going to contact the Student Loans Company people tomorrow to report it so I am hoping that something can be done.
Posting this as a warning to others with kids at university and in the hope that, if anyone has experienced similar, that they can share what happened and the outcome.
My daughter is quite upset and feeling a bit foolish at having been scammed. She has struggled a bit to adapt to student life so this is the last thing she needed.
Thanks for the heads up, but struggling to see how the details provided have enabled a hack / created a liability for her. My daughter's in y3 now and the hoops and hurdles we go through every year (you have to reapply each year) seem pretty robust. Just having her name and where she studies and bank account shouldn't allow someone to access her SL account and change her bank details to send it somewhere else?
Call to SLC in the morning should sort it I'd say.
Just googled: https://www.gov.uk/guidance/updating-your-personal-details
Bank details
You can change your bank details by signing into your online account.
A few points to remember:
We can only make payments to a UK bank or building society account.
The account must be in your own name – we cannot make payments into third party accounts under any circumstance.
If you are expecting a payment - we require 4 working days’ notice to change your bank details so that the payment is made to your new bank account. Any changes made within this time will not take effect before the payment is due.
Yes, I'm not sure we have the full story yet but a quick google turns up various articles on how students are targeted by scammers.
I will update after she has spoken to the SLC.
but struggling to see how the details provided have enabled a hack / created a liability for her
Quite a while ago now (early 90's), I knew someone who was scammed who was a "willing" participant in trying to scam the bank and not realising they were the real victim until it was too late (something to do with an emergency clearance of a check, that would get cleared initially but get rejected after the final clearance completed, I can't remember the exact details) but students were a big target as they were usually in need of some money and often not world wise enough to see the obvious red flags.
Actually thinking about it I can remember a bit more detail, the scammer basically convinced the victim that if they cleared an emergency check that would later get rejected the bank would have to take the hit, so if they pulled the money out and split it before the final rejection, everyone won apart from the bank. Obviously the bank just debited his account after the rejection and he was too scared too admit his involvement in the scam to the authorities and had to take the hit which screwed his life up financially.
Now that exact scam no doubt wouldn't work anymore, but if someone hasn't adapted well to student life, and are a bit broke, they would be an ideal target for a scam where they think they are getting one over on a faceless organisation like student loans while they are the real victim.
Yes, I’m not sure we have the full story yet but a quick google turns up various articles on how students are targeted by scammers.
Yep, but AFAICT they all rely on some sort of input of confidential data like passwords - sending you to fake sites and so on. I'm pretty sure someone can't phone up with basic info like name, email, DoB, current bank details, and then SLC just transferring the bank details to a new one (in someone else's name, definitely not) If SLC have done that then I'd say you're totally in the clear, it would be a clear breach at their end.
If you've given additional login type details direct to the caller or via a site, then IDK what their liability is - they're not FCA but they "do endeavour to act within the spirit and ethos of the FCA in everything we do" so I'd hope they can
Plus it says any changes of bank details are confirmed by email/text, did she get one of those? That's the trigger to put a stop on it.
Good luck! Does bank of Dad have enough to underwrite the missing payment for now, because other bills and payments out will still need to be made?
She said that they asked her to confirm sort code, account number and email address which should have set off alarm bells. She did not mention password and I am hoping that she would not be that daft.
She did get a text shortly after this but thought that it related to this "verification" of her account. Extremely naive I know.
This loan is used to partially cover her halls accomodation for the term. That does not have to be paid for a few weeks. so no pressing money crisis.
She has said she will cover the loss from money she has saved from her part time/Summer job but if she is liable I will probably cover it - goodbye planned new hardtail 🙁
She worked so hard to get onto the university course and is working very hard now she is there so this is not great but it's not the end of the world.
She worked so hard to get onto the university course and is working very hard now she is there so this is not great but it’s not the end of the world.
Fair play to her for putting in the work and applying herself well. Guess this is also a big learning experience for her and an important lesson that we all unfortunately usually learn the hard way. As you said, financial hit, but not a biggie in the scale of things. Hardtails are overrated anyway 🙂
She said that they asked her to confirm sort code, account number and email address which should have set off alarm bells. She did not mention password and I am hoping that she would not be that daft.
If SLC has allowed someone to change bank details on that level of detail I'd be getting her to kick off at them as that could be anyone. Those details should not be enough to verify an account.
She did get a text shortly after this but thought that it related to this “verification” of her account. Extremely naive I know.
Even so - if 1/ is true then the error is with SLC, you've not corrected it but I'd argue liability is still theirs.
Can she log on to her account and see the bank account details? Or do the scammers go in after and reset them (would be another text, I guess)
Also - and a bugbear of mine and feel free to tell me to butt out - part of uni is making 'bad' decisions or getting into a bit of difficulty, and sorting out the consequences / clearing up after.. My advice is try not to fly in and fix it - advise her of the right course of action, and as you see appropriate be the safety net under her if she's lost the money, but the experience and the clear up of having to make all the calls to SLC and sort it out will stand her in far better stead than if Dad sorts it all out. Of course, you know your kids better than me and some may need to actively parent this sort of thing more than others, but one day she'll have to do this for herself, might as well learn now.
Now that exact scam no doubt wouldn’t work anymore, but if someone hasn’t adapted well to student life, and are a bit broke, they would be an ideal target for a scam where they think they are getting one over on a faceless organisation like student loans while they are the real victim.
A variation on it is still very common, especially on social media.
The scammers use the "victim's" account as the recipient for some other fraud (e.g. they also have some naive pensioner on the phone about to transfer their life savings). The person receives the money, and transfers all but a percentage onto the fraudster via amazon cards, bitcoin, cash, or whatever.
Variations where the scammer sends them small amounts 'free' first to build trust etc.
The eventual outcome is the bank reverses the fraudulent transactions and the "victim" get's charged with fraud / handling stolen goods / money laundering or whatever the specifics are.
Thanks for the responses. theotherjonv - she has managed to get into the account, set the account details to hers and changed to a new, complex password.
I get what you say about learning experiences and she is owning it and has made the calls to the Student Loans Company who are now investigating the incident. They want her to do malware/virus scans on her devices so I will help her with that and provide support whilst she resolves it.
I will update on progress and the outcome as I guess many on here have offspring either at university or soon to go so this may be of interest to them.
I will update on progress and the outcome as I guess many on here have offspring either at university or soon to go so this may be of interest to them.
Thanks for this, it is. I have a vulnerable daughter in first year Uni and this is just the sort of thing that might happen to her.
SLC and SAAS are an absolute shambles in our experience this year.
While claiming multi factor and caution over security they have messed up my sons bank details three times - with one correct payment in the middle! At the same time they have basically denied any responsibility, each organisation blaming the other, but also let slip that they have had some issues with security this year....
Do check with your daughter - how is her online profile at all? 'Beth Smith, Studying History at Cambridge' and a phone number is all the data they need.....
Beth Smith, Studying History at Cambridge’ and a phone number is all the data they need…..
All easily acquired in the haze of freshers week.
Beth Smith, Studying History at Cambridge’ and a phone number is all the data they need…..
You can't get into SFE (Student Finance England, part of SLC) with that - I just tried. I have an account - needed for parents b/c you have to input household income etc., so SFE can calculate how much maintenance the student gets from the Gov and how much the parents are supposed to put in.
I had to put in email address, password (12 character, upper and lower case, number and special character) and answer a secret question to get in. Would be better if they texted a code or whatever to a saved number so you have to be the holder of the phone as well but still far from easy.
As earlier, if SFE/SLC have changed bank details on the basis of a phone call with "Beth Smith, Studying History at Cambridge’ and a phone number" then they're clearly at fault. If I'm honest, it feels like she must have been phished / smished to provide more info somehow. Poor girl, they're bloody good at it.
One of the 21st century problems is there is so much info out there in Internet land that the yoof of today freely post, without careful thinking. Done innocently, but readily accessed by the nefarious.
Birthday readily found or worked out for many on Faceache etc along with where studying and what, interests, pets' names (which are often the basis of the password to accounts) etc etc etc.
They're half way there before calling. And they only have to get lucky 1 in 1000 times to make money. Bastardooos.
Every time I've spoken to SFE/SFW/SAAS on behalf of students I have always needed the student's Name, DoB and CRN (Customer Reference Number) at a very minimum, and they will often ask to speak to student if they are there.
SFW won't pass on any information without the student being available to provide characters from their password unless they have set up a specific password for me to use.
Nothing useful to add but just remind her that they're bastards and bloody good at what they do and they'll try this a thousand times a day and you only need to be tripped up once. Hope you get a good outcome.
So spoke to my daughter last night. She phoned the SLC yesterday morning to report it. They were helpful and sympathetic and went through what seemed to be a well scripted process to collect information although oddly they did not ask too much about the suspect call she received.
They will investigate and, depending on what they find, there is a possibility of being reimbursed. They also gave her a list of actions to complete - change bank passwords, scan devices for malware etc.
The phishing call happened back in October just after she went to university and she is adamant that all she told them was the bank account details and email address. She also said that there was no 2FA option offered. I believe her but am surprised that was enough to hack the account.
There was no mention of using MFA from the SLC guy. I am very surprised they don't do something even if it was only sending a code via text or email. Most universities seem to use Office365 so students are used to using MFA to access that.
I will post any updates I get about the investigation and (hopefully) any refund.
One of the 21st century problems is there is so much info out there in Internet land that the yoof of today freely post, without careful thinking. Done innocently, but readily accessed by the nefarious.
I work in financial services; can we stop with the "yoof of today" bollox, folk of all ages put info online and folk of all ages are scammed.
If SFE don't offer an option for MFA, in this day and age, they should be liable for any consequences of fraud.
One of the 21st century problems is there is so much info out there in Internet land that the yoof of today freely post, without careful thinking. Done innocently, but readily accessed by the nefarious.
It's not limited to the "yoof" and you likely know that, you are just one of those people that blame people for being young.
- 2.9% of people between the ages of 13-17 use Facebook.
- 18.1% of people between the ages of 18-24 use Facebook.
- 25.7% of people between the ages of 25-34 use Facebook.
- 18.1% of people between the ages of 35-44 use Facebook.
- 13.6% of people between the ages of 45-54 use Facebook.
- 11% of people between the ages of 55-64 use Facebook.
- 10.6% of people that are 65+ years old use Facebook.
@hexhamstu I'm not sure those stats back up your argument as well as you think. Most folk on here are in a bracket with only people older than them or under 18 having lower participation.
There was no mention of using MFA from the SLC guy. I am very surprised they don’t do something even if it was only sending a code via text or email.
I get a six digit check number via text even when I’m just buying a couple of cheap gig tickets, I’m surprised it isn’t right across the board.
Update! the Student Loan Company paid the loan money into my daughter's bank account on Wednesday. No communication from them about the results of their investigation or advice on how to increase security.
A member of the student support staff did tell her that their had been a few similar incidents in the past 12 months and that the ones that she was aware of had been reimbursed as the money had been redirected to an account with a totally different name associated with it.
So overall a good outcome but SLC really need to improve the security procedures around their services.
Thanks for all the advice offered!
but SLC really need to improve the security procedures around their services.
In all fairness, giving bank details to someone via a text or phone call is not the SLC's responsibility.
Clearly the scammers have access to some of her details previously, which will be the fault of the college or even SLC, but personal security and giving out information is down to the individual.
But glad it all worked out.
Oh man, hope she’s okay.
In all fairness, giving bank details to someone via a text or phone call is not the SLC's responsibility.
Surely that information is printed on every cheque, so it can't be sufficient to support a scam ?
Anyway - happy to hear that the situation was successfully resolved, and hopefully a good education albeit at the cost of some stomach lining
Surely that information is printed on every cheque
Are cheques still a thing? I thought banks had stopped issuing chequebooks years ago?
Don't remember the last time I wrote one, or received one.
Are cheques still a thing?
Last year the DVLA insisted I send them one while renewing my driving licence.
I got one from premium bonds a couple of months ago. First time in ages (cheque or premium bonds) so I was very impressed to find my banking app allowed me to pay it in by simply scanning it.
Update! the Student Loan Company paid the loan money into my daughter's bank account on Wednesday. No communication from them about the results of their investigation or advice on how to increase security.
A member of the student support staff did tell her that their had been a few similar incidents in the past 12 months and that the ones that she was aware of had been reimbursed as the money had been redirected to an account with a totally different name associated with it.
So overall a good outcome but SLC really need to improve the security procedures around their services.
Thanks for all the advice offered!
Youngest_oab is still £600ish short and has been since September. SLC have paid his loan into three different banks, managing to go from wrong account to right then back to wrong again. They never communicate until a week after a payment, and that is a letter with a statement of payment. All the delay is for anti-fraud checks, which take 40 days every time they make a mistake. SLC blame Scottish Funding folk, who blame SLC.
Complaint going in again if things aren't sorted this week.
Don't remember the last time I wrote one, or received one.
My mother sends them to her grandchildren every birthday and Christmas. MrsJ just received one from a pension company. But the point is that banks don’t treat this information as confidential so I don’t see how it can be used for a scam.
But the point is that banks don’t treat this information as confidential so I don’t see how it can be used for a scam.
Yes - this.
