The U.S. Education Department’s Office of Federal Student Aid received multiple reports from colleges and universities about the phishing campaign targeting student email accounts, a department spokesman said. Authorities declined to identify the schools that reported the attacks.
“The Department thought it was prudent to notify institutions about this scheme via an electronic announcement to schools and by posting this alert on the Information for Financial Aid Professionals website," a department spokesman said.
The attacks begin with a phishing email sent through a college’s password-protected website for students, department officials wrote. It is an email intended to fraudulently extract personal information.
The nature of the emails suggests the attackers have done research to understand the school’s communication methods, and the attacks are successful because students provided the information that had been requested by the rogue operations, the department warned.
The money is what’s left over after students have used aid to cover tuition, room and board. A student, for example, might be eligible to receive $25,000 in federal student aid, which is transferred electronically from the Education Department to a university. If a student had $4,000 remaining, the university would typically transfer that balance to the student, offering several ways to receive the money, including a debit card or an electronic deposit to a bank account. It is those electronic deposits that are vulnerable.
Once the attackers gain access, they change the student’s direct-deposit destination to a bank account controlled by the attacker. Then the money intended for the student is sent to the attacker instead.
The agency believes the attackers are "practicing and refining the scheme on a smaller scale now and that this will emerge as a prominent threat" against colleges and universities at times when Federal Student Aid funds are disbursed in large volumes.
Some schools are especially vulnerable, the agency warned, because they are not requiring two forms of identification to make their student portals more secure; often, students are using just one method to verify their identities, such as a username and password.
The agency strongly urged colleges and universities to strengthen security and use two-factor or multi-factor identification — for example, a username and password combined with a PIN or security questions, or access through a secure device.
The announcement included this message: “Any funds disbursed inappropriately may become the responsibility of the institution.”
It included a sample email from an attacker, with the subject line, “Updated billing statement issued,” and information urging students to pay their bill with instructions on how to do so through the student portal.
A spokeswoman for the National Association of Student Financial Aid Administrators said the organization didn’t have any comment because it did not have information beyond the warning from the Office of Federal Student Aid. A spokeswoman for the National Association for College Admission Counseling said the organization has notified its members.