Go back

Quarter of REF staff tricked by fake email scam

REF submission security said to be ‘excellent’ but administrators give out passwords during phishing test

Universities will be given extra advice on how to stay safe online during the Research Excellence Framework submission process after 81 people fell for fake emails sent out by the REF team as a test.

A total of 291 emails were sent to those responsible for universities’ REF submissions during a cybersecurity exercise in November last year, which was run by the team behind the REF to test how safe the system is ahead of this year’s 27 November submissions deadline.

According to IT agency Jisc, which carried out the exercise for the REF co-ordinators, a quarter of those who received the fake phishing email clicked the suspicious link and 61 people attempted to enter passwords. While the results were deemed “average” for the sector, the REF team said they “underline the need for continued action in raising this awareness”.

The REF team confirmed they would provide extra guidance to “support and educate submission system users around these risks and further assure system security”, including more detailed information on what a real email from the REF would look like.

During the exercise in November 2019, staff at some universities alerted the REF team to the spoof email, including University College London (UCL) which used Twitter to warn other REF teams to be alert. UCL later admitted it had fallen for the fake email and said it assumed it had passed the test “with flying colours”.

In its report on the cybersecurity exercise, Jisc said the overall security for the REF submissions system was “at an excellent level” and it was an “exceptional and very rare result” for that type of security testing.

The report was published as the REF 2021 submission system was officially launched on 17 February, allowing universities to hand over their submissions. Universities have been officially invited to make their submissions in a letter to all institutional leaders sent by the REF team.

The REF is run by the UK’s four funding councils—Research England, the Scottish Funding Council, the Higher Education Funding Council for Wales and Northern Ireland’s Department for the Economy.