A new phishing scam is targeting students entitled to financial aid refunds, the Department of Education warned in a statement.
Multiple colleges and universities have reported to the department that students have received emails seeking information necessary to gain access to student portals. Attackers who gain access change direct deposit information so that financial aid refunds are sent to the attacker’s accounts.
Fraudulent emails target student sites
Students targeted by the phishing scam receive an email sent through password-protected student websites. The email appears to come from their college or university, the department said in the statement, dated Aug. 31 but not widely reported until the Washington Post published coverage of it Saturday. The Post said the authorities it spoke with had declined to identify which schools reported the attacks.
A sample email provided by Federal Student Aid, an office of the Department of Education, asks students to confirm their updated 2018 bill to avoid late fees. The nature of the emails suggests attackers have researched the targeted academic institutions to understand their communication practices, the statement said.
When students fall victim to the scam, attackers can use their provided information to redirect financial aid refunds to the attacker’s accounts by changing direct deposit information. Many students are entitled to financial aid refunds if they receive loans in larger amounts than necessary to cover tuition, room, and board. The school refunds this excess aid to students so they can use it to pay living expenses.
The Department of Education has warned that federal aid funds distributed inappropriately may become the responsibility of the institution that disbursed the funds.
Student aid portals at colleges and universities are vulnerable to this type of phishing scam because enough do not use two-factor or multifactor authentication to verify that login attempts are legitimate. The Department of Education has urged higher education institutions to impose more stringent security measures, such as requiring students to answer security questions or to provide a PIN number in addition to a username and password.
The department is also urging institutions subject to the attack to consider freezing refund requests or blocking changes to direct deposit information. Taking precautions is essential, as evidence suggests attackers are refining their scheme and may target more institutions as financial aid refunds are distributed in large volumes as the school year gets underway.
Students should also protect their account security by refraining from clicking email links or providing personal identifying information in response to email requests. Instead of using links, always visit websites directly by typing the site’s address into your browser to avoid falling victim to this or any phishing scam.
Federal Student Aid said it would “continue to monitor this situation and will send out additional information as appropriate. That information may include additional examples of the phishing emails, training resources, and best practices about how to avoid falling victim to phishing attacks.”
Beware of other scams, too
The phishing attack on loan refunds is one of many scams aimed at student loan borrowers. These can range from the notorious “Obama student loan forgiveness” scam popular during the previous presidential administration to promises that your loan can be discharged if you’re disabled.
Watch out for red flags such as unnecessary fees or requests for excessive information. And if you do think you’ve fallen victim to a scam artist, follow these steps to protect yourself from further harm.