Western Sydney University (WSU) said it has referred a widespread scam email campaign to NSW Police after hundreds of students and graduates received fraudulent messages falsely claiming their qualifications had been revoked or that they were excluded from the university. 

The university confirmed the emails are illegitimate and apologised for the distress caused, stressing that no degrees have been cancelled or affected by the scam.

Scam Emails Trigger Alarm

The malicious emails, some of which appeared to come from legitimate university addresses, caused intense confusion and panic across the WSU community. 

Students and alumni—some of whom graduated more than a decade ago—reported receiving late-night messages with alarming subject lines about their academic standing. 

'My Sister Received An Email At 2.50 AM'

Social media platforms, including Reddit, quickly filled with stories from recipients, many of whom suffered significant distress before discovering the messages were not genuine.

One Reddit user described the anxiety wrought by the scam: “My sister has received a degree revoked email at 2:50 AM on a public holiday. She finished her studies and graduated earlier this year in March… She is super stressed and doesn’t know what to do other than contacting uni tomorrow”.

Another recipient said, “I received the same email even though I graduated 15 years ago. I guess they don’t purge personal records after 7 years”.

Many of the fraudulent emails did not include attachments or malicious links, reddit users noted.

Western Sydney University Says NSW Police Investigating Scam Emails

WSU sought to redress student fears, and emphasised that all student enrolments and qualifications remain wholly unaffected. 

In its statement, the university said:

“Western Sydney University is aware of fraudulent emails sent to students and graduates, with some falsely claiming that they have been excluded from the University or that their qualifications have been revoked." "These emails are not legitimate and were not issued by the University. We have informed NSW Police. As this is part of ongoing police investigation, we are unable to provide further comment at this time. We sincerely apologise for any concern this may have caused”.

The university said it is actively investigating the matter and has advised anyone who receives such emails not to reply or follow any included instructions, and to contact the university’s official channels if in doubt.

Second Mass Email Slams University

A separate mass email, reportedly sent using the university’s parking system, also alluded to weaknesses in WSU’s cybersecurity and referenced a history of past breaches. 

This email, which also appears to have been sent by a third party rather than the university itself, alleged that security flaws at WSU had gone unaddressed for years—a claim the university has not confirmed and which remains under police investigation.

"I am writing to bring to your attention a critical issue regarding the ongoing security vulnerabilities at Western Sydney University (WSU),” the email read.

“As you may already be aware, WSU has once again fallen victim to a security breach, highlighting their failure to take the necessary steps to protect your personal data and online security."

“Recently, a student was charged by local authorities for exploiting a flaw in the university’s parking permit system. This student used a simple browser tool, Inspect Element, to obtain a free parking permit."

“This is a glaring indication of the fundamental security weaknesses that still exist within WSU’s systems.  What’s more concerning is that these vulnerabilities are easily exploited with just a few clicks, and anyone with a basic understanding of web development can access and manipulate sensitive information."

“The problem is not new. In fact, WSU was made aware of this issue back in 2017, yet, despite being informed about it years ago, the university has neglected to take meaningful action.  Now, in a particularly ironic twist, the university is charging a student for using these flaws, even though they have failed to address the security weaknesses that allowed this to happen in the first place."

“So, the question remains: Has WSU done anything to secure their systems since then? Based on the fact that this email was sent using the very same vulnerability in their website, the answer appears to be a resounding no."

“To make matters worse, in August, sensitive data submitted through WSU’s eForms system was hacked and stolen. This includes potentially highly confidential student information."

“Even more alarming is the fact that WSU has not disclosed this breach to students, leaving many unaware that their personal data may have been compromised. This lack of transparency is deeply troubling and further underscores the university’s disregard for student privacy and accountability."

“In addition, there have been verified instances where student grades were modified without the university’s knowledge, including cases that appear to involve direct database access. Alarmingly, WSU does not know how many students may have had their grades altered as a result, meaning the full scope of the damage remains unknown,” the email claimed.

DATA BREACH AT WSU IS NOT NEW

The incident comes amid continuing cyber-related challenges at WSU. Earlier this year, approximately 10,000 students and staff were impacted by a single sign-on breach that allowed unauthorised access to enrolment, demographic, and progression data. 

Data from that breach may have appeared in both open and dark web posts, leading to further scrutiny of university security protocols and an ongoing effort to prevent future attacks.

University Vice-Chancellor George Williams AO recently acknowledged the frequency and persistence of attempted attacks on WSU’s systems, saying: “Western Sydney University has been the subject of persistent and targeted attacks on our network. The University is very aware of the personal impact these incidents are having on its students, staff and wider community”.

The story is continuing to unfold, as investigations by NSW Police and the university press on.