Well, it _said_ it was from the SLC, but I don't have a student loan any more.
And when I hovered over the link to the website that wanted me to "verify your details", it didn't seem to be pointing to the website that the text would indicate.
Not that it was easy to tell - as the popup with the link text in it only showed 80 characters - the last 80 characters.
So I clicked on it. On my phone, as I figured that the number of viruses, etc. that target Webkit on a Nokia must be somewhere near zero.
And then discovered that the only way to find out what the actual address of the page you're on under the Nokia Webkit browser is buried in the menu system.
So when I got the page name I decided to visit the root domain and see what that was.
Lo and Behold - a WordPress install, last updated in 2008. And thus undoubtedly full of holes.
So I used the "contact" form there to drop the owner an email. Which will probably go to a dead email box that they haven't checked since 2008.
Further checking shows that the Student Loans Company don't have an SPF record set up to prevent people from impersonating them when sending email. Which means that botnets are free to send email that "comes from" them.
And this is why we can't have nice things.