The FBI has identified successful spearphishing campaigns directed at college and university students, especially during periods when financial aid funds are disbursed in large volumes. In general, the spearphishing emails request students’ login credentials for the university’s internal intranet. The cyber criminals then capture students’ login credentials, and after gaining access, change the students’ direct deposit destination to bank accounts within the threat actor’s control.

In February 2018, the FBI received notification of a spearphishing campaign targeting students
at an identified University in the south eastern United States. The campaign occurred in January
2018 when an unidentified number of students attending theuniversity received an email
requesting their login credentials for the university’s internal intranet. Approximately $75,000 was stolen from 21 students.

In August 2018, the Department of Education identified a similar spearphishing campaign
targeting multiple institutions of higher education. In this campaign, the cyber criminals sent
students an email inviting them to view and confirm their updated billing statement by logging
into the school’s student portal. After gaining access, the cyber criminals changed the students’
direct deposit destinations to bank accounts under the threat actor’s control.

The nature of the spearphishing emails indicates the cyber criminals conducted reconnaissance
of the target institutions and understand the schools’ use of student portals and third-party
vendors for processing student loan payment information. In addition, the timing of the
campaigns indicates the cyber criminals almost certainly launched these campaigns to coincide
with periods when financial aid funds are disseminated in large volumes.


  • The FBI recommends providers implement the preventative measures listed below to help
    secure their systems from attacks:
  • Notify all students of the phishing attempts and encourage them to be extra vigilant
  • Implement two-factor authentication for access to sensitive systems and information
  • Monitor student login attempts from unusual IP addresses and other anomalous activity
  • Educate students on appropriate preventative and reactive actions to known criminal
    schemes and social engineering threats
  • Apply extra scrutiny to e-mail messages with links or attachments directed toward
  • Apply extra scrutiny to bank information initiated by the students seeking to update or
    change direct deposit credentials
  • Direct students to forward any suspicious requests for personal information to the
    information technology or security department

Read the full report here.

LEVERAGE offers cybersecurity solutions to help product your credit union. Click here for details.