St. Lawrence College students' parents targeted by a phishing email scam

• Scammers breached St. Lawrence College’s computer systems to gain access to students’ personal data, primarily email addresses.
• The scammers then used the email addresses to send phishing emails to parents offering fee discounts for the spring and summer terms, provided the funds are paid in advance.

St. Lawrence College’s computer systems were breached by attackers who gained access to student’s personal data including email addresses. The scammers then used the email addresses to send phishing emails and tricked students’ parents into paying cash.

The phishing email scam sent by scammers offered parents a discount on fees for the spring and summer terms and instructed them to pay the funds into non-school accounts or by using cryptocurrency.

Two parents fell for the trick

The phishing email scam worked, although only two of the contacted students’ parents from abroad fell for the trick and actually paid money to the scammers. The incident took place on December 27, 2018, when the school was officially closed for Christmas and the school became aware of the incident on very next day, December 28, 2018.

The college has confirmed the breach of its computer systems and that two parents of students from abroad have paid cash to the scammers.

“On 28th December we became aware of a potential fraud whereby a fake email account was being used to contact parents offering an early pay discount, with the funds to be placed into non-school accounts or cryptocurrency,” Antony Spencer, Principal of St. Lawrence College said.

“Despite the fact that the fraudsters had deliberately targeted the school at a time it was officially closed for Christmas, prompt action was taken and all parents were alerted to the risk, and the Police, Action Fraud and the banks’ fraud teams were notified,” Principal Spencer added.

The college had notified the Information Commissioner's Office (ICO) on the incident and the parents who fell for the phishing scam have contacted their banks to recover the paid amount.

"The fake emails were the result of a quite sophisticated hack, which gave the hackers access to some personal data, primarily email addresses. Parents have been assured that additional cybersecurity measures have since been implemented to further improve the defenses against such threats,” Spencer said.