Story image

Scammers spoof UK university domains as part of massive fraud campaign

19 Jul 18

Action Fraud UK is warning people to be wary of any emails they receive that look like they belong to UK university email addresses.

Cybercriminals and fraudsters have been registering domains that look very similar to genuine UK web domains with the intent on scamming unsuspecting victims.

Fraudsters imitating one university’s address lead to a total victim loss of more than £350,000.

The fake domains can appear as,, and They are used to contact UK and European supply companies in order to conduct what is called European distribution fraud.

This type of fraud involves an overseas company that delivers products to the UK, but isn’t paid for the goods or shipping costs.

Action Fraud explains:

“These domains are used to contact suppliers and order high value goods such as IT equipment and pharmaceutical chemicals in the university’s name.”
“Suppliers will receive an email claiming to be from a university, requesting a quotation for goods on extended payment terms. Once the quotation has been provided, a purchase order is emailed to the supplier that is similar to a real university purchase order. The purchase order typically instructs delivery to an address, which may or may not be affiliated with the university. The items are then received by the criminals before being moved on, however no payment is received by the supplier.”

According to Action Fraud director Pauline Smith, European distribution fraud can have serious effects for businesses. She says it’s important to verify orders and check all documents for poor spelling and grammar.

She also encourages companies to report this type of fraud.

Venafi chief cybersecurity strategist Kevin Bocek adds that website spoofing is now big business.

“Last year over 14,000 certificates were used to set up phishing sites spoofing PayPal alone. This shows the power of the padlock for cybercriminals, allowing them to appear trusted so that they can trick unsuspecting businesses out of huge sums and damage brand reputations across the internet.”

He notes that the attacks are part of a bigger problem that jeopardises the kind of trust internet users take for granted. He believes a new system of trust built on reputation is needed.

“These padlocks are supposed to signify a trusted machine identity – a digital certificate that means a website is genuine. But now cybercriminals can obtain certificates allowing them to look authentic for virtually nothing. This is a high risk, high impact threat that security teams cannot ignore anymore.”

RSA Security EMEA field CTO Rashmi Knowles warns all universities that they should warn all of their sites’ users.

“Unfortunately it is often very hard for an organisation to know if their site has been spoofed until someone has already become a victim, as is the case here with businesses being defrauded of hundreds of thousands of pounds.”

Action Fraud recommends the following actions to protect your business from distribution fraud:

  • Ensure that you verify and corroborate all order requests from new customers. Use telephone numbers or email addresses found on the retailers website – do not use the details given on the suspicious email for verification purposes.
  • If the order request is from a new contact at an organisation that’s an existing customer, verify the request through an established contact to make sure it is legitimate.
  • Check any documents for poor spelling and grammar – this is often a sign that fraudsters are at work. 
  • Every Report Matters – if you have been a victim of fraud or cyber crime, report it to Action Fraud online or by calling 0300 123 2040.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.