Two Men Jailed For £1.5m Student Phishing Scams

Matthew Broersma,
Phishing emails landscape

Two men from Manchester and London sentenced for scams that fleeced students

A Manchester man has been jailed for six years and six months for his part in a phishing scam that stole more than £1.5m from hundreds of UK students’ bank accounts.

Damola Clement Olatunji received the sentence at Southward Crown Court on Friday following an investigation by the Metropolitan Police Central e-Crime Unit (PCeU). The sentence followed that of Londoner Amos Njoroge Mwangi, who was jailed for three years and three months at an 11 June hearing, according to the Metropolitan Police.

Phishing tackle!

While police said there is no evidence linking the two men, both were found to be responsible for similar email-based scams against students.

Olatunji’s  scam involved emails sent to students inviting them to update details on their student loan accounts via a link to a fraudulent website, which captured bank account log-in details. The fraudsters then extracted sums ranging from £1,000 to £5,000 at a time from the targeted accounts.

“Mwangi and Olatunji were determined fraudsters who systematically targeted British students in order to steal large amounts of money,” said Detective Inspector Jason Tunn of the PCeU, in a statement.

Both Olatunji and Mwangi were arrested in raids in Manchester and London on 7 December, 2011, when police siezed computers and storage media belonging to both men.

Forensic evidence

Mwangi’s computers were found to contain applications for building phishing emails and registering fake websites, while Olatunji’s systems were found to contain more than 1,300 student loan account log-in details.

Police said they were able to link Olatunji to £304,000 actual fraud and £162,000 attempted fraud, and also found evidence linking him to separate fraud against Halifax customers valued at £75,000.

Police were alerted to the scam in August of 2011 and worked with the Student Loans Company, banks and internet service providers during the investigation.

Five other people arrested as part of the investigation remain on bail – a 25-year-old woman and two men aged 38 and 35 arrested in Greater Manchester, and a 49-year-old woman and a 31-year-old man detained in Stratford, north-east London.

Anti-phishing schemes

Google, Facebook, Microsoft, PayPal and 11 other companies in February announced a proposed standard for email sending and receiving in an attempt to stamp out phishing. DMARC, or Domain-based Message Authentication, Reporting and Conformance, is a system that will aid communication between companies and consumers by creating a standardised way of authenticating emails.

The other companies working in the DMARC group are AOL, Yahoo, Bank of America, Fidelity, LinkedIn, American Greetings and email security providers Agari, Cloudmark, eCert, ReturnPath and Trusted Domain Project.

Phishing persists as a major problem, with recent data from the OTA suggesting that hundreds of thousands of accounts are hijacked daily.

Is Microsoft Office your friend? Take our quiz.