phish email

Phishing Attacks Target Financial Aid Funds of Students

There are a lot of expenses a college student endures.  Textbooks, tuition, room and board, parking, the list goes on and on.  Students depend on FAFSA to alleviate some of the financial burden that goes along with college.

 But when hackers are after your financial aid, responding to their email with your credentials is a promise that you won’t see a penny coming your way.

Warnings from U.S. Education Department

The U.S. Education Department’s Office of Federal Student Aid has been notified that students are getting phish emails, targetting their financial aid funds.

“The Department thought it was prudent to notify institutions about this scheme via an electronic announcement to schools and by posting this alert on the Information for Financial Aid Professionals website,” a department spokesman said.

Phish emails were sent through a college’s password-protect website for students, trying to fraudulently extract personal information.

Phishy Emails

The attacker(s) behind this financial aid refund scheme has done their research to incorporate the school’s communication methods, and they were successful. Students replied with the information requested.

For instance, in some cases, students are eligible to receive $25,000 in federal student aid.  First, it is transferred electronically from the Education Department to a university.  The aid is used to cover tuition, room, and board.  Then, the rest of the aid, about $4,000 or so, will be transferred to the student by either a debit card or an electronic deposit to a bank account.

After the attacker obtained student credentials, they changed the method of receiving financial aid to another bank account, controlled by the attacker.  It will just be a few days until a check is cut for the hacker, intended for the student.

This Could Be Only The Beginning

It is believed that these hackers may be working out the kinks of their financial phish scheme for when Federal Student Aid funds are distributed in large volumes.

Schools that use one method of verification (username and password) are more vulnerable to these phish attacks.  Two-factor or multi-factor identification is recommended to better secure the student portal and their information. It is adviced that including a PIN or security questions may strengthen security.

Original Article Found Here.