Education

Cyber attacks target some student financial aid

A “malicious phishing attack” has targeted some student financial aid at several colleges, the U.S. Department’s Federal Student Aid office says.

A “malicious phishing attack” has targeted some student financial aid at several colleges, the U.S. Department’s Federal Student Aid office says.
Sept 20, 2018

A fake email could rob some college students of federal money.

The U.S. Department of Education's financial aid office has reported a "malicious phishing campaign" using a phony message to gain access to students' accounts at several colleges.

It does not identify any of the schools affected.

The phony message targets students who are due a refund of financial-aid money. When a student is eligible for more aid than the cost of tuition and housing, colleges and universities typically send the extra amount to students electronically, using the institutions' online student portals. A student set to receive $15,000 in aid, for example, who only had to pay $12,000 for tuition and housing, could get $3,000.

An example of one of the scam messages invites students to confirm some information on their school accounts. Then, the education department says, the attackers change the direct-deposit information so the refund would be sent to their account instead.

The scheme has worked, the department warns, because students have provided the information the email requested. “The nature of the requests indicates the attackers have done some level of research and understand the schools’ use of student portals and methods,” it said in a press release.

“Federal Student Aid believes that attackers are practicing and refining the scheme on a smaller scale now and that this will emerge as a prominent threat … during periods when FSA funds are disseminated in large volumes,” it said.

The department encouraged colleges and universities to switch from single-factor authentication on the student portals, the setup where only one piece of verifying information, a password, is needed to access an account.

It wants schools to use “two-facator or multi-factor authentification processes” that “rely on a combination of factors, for example, user name and password combined with a PIN or security questions or access through a secure, designated device.”

The release also says funds issued “inappropriately may become the responsibility of the institution.”

Editors' Picks

Credit: Miguel Martinez

Georgia demands Rivian secure, maintain factory site

What Braves ace Spencer Strider said about injury diagnosis, his emotions and more

Credit: Jordan Strauss/Invision/AP

What prison life is like for Todd and Julie Chrisley, the former reality TV stars

AJC EXCLUSIVE
Kemp on Medicaid expansion in 2025: ‘I’m in the no camp.’

AJC EXCLUSIVE
Kemp on Medicaid expansion in 2025: ‘I’m in the no camp.’

Credit: Miguel Martinez

‘I am desperate:’ Refugee says resettling in Atlanta came with struggles
The Latest

Credit: Miguel Martinez

Kemp reshuffles Georgia Board of Regents, adding three new members
Cobb schools pulls 4 more books from libraries for ‘vulgar’ content
DeKalb officials recommend postponing plans to build 2 new schools
Featured

Credit: Miguel Martinez

At Vinings Lake Church, people reconsider what church means
Celebrate a sweet Vidalia onion season with these recipes
When this sheriff first took office, gas was 39 cents and Nixon was president