From education to employment

Student Loans Company hit by 5.5 million email attacks last year

Huge number of malware, phishing and spam attacks designed to steal confidential financial data of students

The Student Loans Company (SLC), the non-departmental public body in the United Kingdom that provides student loans, was hit by 5,445,273 email attacks in 2019 according to official figures analysed by Griffin Law.  

The data, which was obtained via the Freedom of Information Act (FOI), provides an insight into the types of cyber attacks that Student Loans Company successfully defended itself against last year. The SCL is reported to provide funding for 1.34 million students in higher education in 2018/19 up from 1.33 million students in 2017/18.

Out of the 5,445,273 email attacks recorded last year, the Student Loans Company’s detection software blocked 10,125 malware attempts and 19,188 phishing attacks. It was the spam protection operating system that quarantined the highest number of emails, with 5,415,960 different attack efforts.

Phishing is the fraudulent attempt to obtain sensitive information like usernames, passwords or credit card details by pretending to be a trustworthy organisation over emails or instant messaging. Worryingly, the email phishing scam industry is growing at a rapid rate in the UK, with hackers finding new ways to exploit vulnerabilities with innovation.

In 2018, phishing scammers successfully stole £100,000 of student loans form University students, underlining the rising challenge posed by sophisticated scam emails.

The Student Loans Company is a non-departmental public body company in the United Kingdom that provides loans to students. It is owned by the UK Government’s Department for Education, the Scottish Government, the Welsh Government and the Northern Ireland Executive.

A spokesperson from The Student Loans Company confirmed that the all of the listed attacks were successfully blocked and quarantined.

Cyber security expert Tim Sadler, CEO at Tessian comments:

“With so much valuable information on the millions of students it funds, it’s little wonder why the SLC is a prime target for email attacks. Phishing attacks are particularly effective because they are relatively easy and inexpensive to execute – it just takes one employee fall for the scam and the attacker can steal money, harvest credentials or install malware onto devices.

“In the case of SLC, it’s likely that hackers will impersonate a trusted brand or individual to lure individuals to fake websites in order to steal their login credentials. With these credentials, attackers can then access an individual’s account and send emails on their behalf. Posing as a SLC employee, an attacker can cause further damage by targeting students with malicious messages to request their valuable personal or financial information. 

“With so much at stake, staff need to be aware of the threats and the cues that signal a malicious email. However, businesses cannot expect every employee to spot every phishing email 100% of the time. Attacks are only becoming more sophisticated and the threat is constantly evolving. Businesses therefore need to take the burden off employees and instead use technology to protect their people, detecting phishing attacks and alerting employees to a threat in real time.”

Donal Blaney, MD, Griffin Law adds:

“Young people who grew up with their lives online may believe they will recognise a phishing attempt. Sadly, the criminals are growing smarter and smarter. Constant vigilance is necessary for all online dealings. Suspect everything and everyone who asks you to provide personal information through an email or text. No reputable organisation will ask for your private account details or tell you to click a link or supply personal data or passwords.”

Official FOI response

Please refer to the table below for the requested information for 1st January to 31st December 2019:  


Number of emails blocked or quarantined in 2019

Malware protection  


Spam protection  


Phishing protection  





Related Articles