SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Scammers spoof UK university domains as part of massive fraud campaign
Thu, 19th Jul 2018
FYI, this story is more than a year old

Action Fraud UK is warning people to be wary of any emails they receive that look like they belong to UK university email addresses.

Cybercriminals and fraudsters have been registering domains that look very similar to genuine UK web domains with the intent on scamming unsuspecting victims.

Fraudsters imitating one university's address lead to a total victim loss of more than £350,000.

The fake domains can appear as,, and They are used to contact UK and European supply companies in order to conduct what is called European distribution fraud.

This type of fraud involves an overseas company that delivers products to the UK, but isn't paid for the goods or shipping costs.

Action Fraud explains:

“These domains are used to contact suppliers and order high value goods such as IT equipment and pharmaceutical chemicals in the university's name.”   “Suppliers will receive an email claiming to be from a university, requesting a quotation for goods on extended payment terms. Once the quotation has been provided, a purchase order is emailed to the supplier that is similar to a real university purchase order. The purchase order typically instructs delivery to an address, which may or may not be affiliated with the university. The items are then received by the criminals before being moved on, however no payment is received by the supplier.

According to Action Fraud director Pauline Smith, European distribution fraud can have serious effects for businesses. She says it's important to verify orders and check all documents for poor spelling and grammar.

She also encourages companies to report this type of fraud.

Venafi chief cybersecurity strategist Kevin Bocek adds that website spoofing is now big business.

“Last year over 14,000 certificates were used to set up phishing sites spoofing PayPal alone. This shows the power of the padlock for cybercriminals, allowing them to appear trusted so that they can trick unsuspecting businesses out of huge sums and damage brand reputations across the internet.

He notes that the attacks are part of a bigger problem that jeopardises the kind of trust internet users take for granted. He believes a new system of trust built on reputation is needed.

“These padlocks are supposed to signify a trusted machine identity – a digital certificate that means a website is genuine. But now cybercriminals can obtain certificates allowing them to look authentic for virtually nothing. This is a high risk, high impact threat that security teams cannot ignore anymore.

RSA Security EMEA field CTO Rashmi Knowles warns all universities that they should warn all of their sites' users.

“Unfortunately it is often very hard for an organisation to know if their site has been spoofed until someone has already become a victim, as is the case here with businesses being defrauded of hundreds of thousands of pounds.

Action Fraud recommends the following actions to protect your business from distribution fraud:

  • Ensure that you verify and corroborate all order requests from new customers. Use telephone numbers or email addresses found on the retailers website – do not use the details given on the suspicious email for verification purposes.
  • If the order request is from a new contact at an organisation that's an existing customer, verify the request through an established contact to make sure it is legitimate.
  • Check any documents for poor spelling and grammar – this is often a sign that fraudsters are at work. 
  • Every Report Matters – if you have been a victim of fraud or cyber crime, report it to Action Fraud online or by calling 0300 123 2040.