Scammers targeting students appear to “have done some level of research and understand the schools’ use of student portals and methods,” federal officials say. Photo credit:

If you’ve taken out student loans for the fall semester, be on the lookout for a sophisticated email phishing campaign that could allow scammers to intercept money that’s owed to you before it’s deposited in your bank account.

The Department of Education says students at “multiple” colleges have already been targeted, and that the scammers are believed to be “practicing and refining the scheme” that could emerge as “a prominent threat” when student loans are distributed in large volumes.

Here’s how it works: You get an email that looks like it comes from your college, inviting you to view and confirm your updated billing statement by logging into your school’s student portal. That’s the website your college has set up as a gateway for you to access everything from your course materials and grades to financial aid information and account balances.

Example of phishing email. Source: U.S. Department of Education, office of Federal Student Aid.

Clicking on the link in the phishing email doesn’t take you to your school’s student portal. Instead, it takes you to an impostor site that may look very similar to the real website. If you try to log in to the impostor website, you’re providing scammers with your username and password to the real student portal.

The scammers can then go to the real site and change the direct deposit destination where your excess student loan proceeds will be distributed to a bank account they control. (Student loans are usually disbursed to the school to pay tuition, fees, and room and board. Any leftover funds are then provided to you to cover other education-related expenses.)

Florida school targeted

Targeted schools are encouraged to freeze student loan distribution requests or issue paper checks until the scope of the incident is known, and to disable passwords of potentially affected students.

At Florida Gulf Coast University, students had their login PINs reset after the school discovered “a serious phishing scam that targeted our students. The attackers are using phishing emails and fake FGCU Gulfline websites to trick students into disclosing their login credentials.”

Wellesley College reported a similar scheme last year, in which scammers replicated the school’s login page.

The Department of Education’s office of Federal Student Aid said it “strongly encourages” schools to implement dual-factor authentication, which requires users to add another layer of security, such as a mobile device, to verify their identities.

Two-factor authentication is mandatory at SUNY Albany this fall, following a phishing scheme last spring that compromised more than 300 student accounts.

How to avoid being a victim of a phishing attack

The U.S. Computer Emergency Readiness Team offers the following tips on detecting and avoiding social engineering and phishing attacks:

  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • Don’t send sensitive information over the Internet before checking a website’s security.
  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (.com vs. .net, for example).
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
  • Be wary of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information.
  • Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.

Massive identity theft

Student loan fraud often involves stolen identities, with perpetrators posing as students enrolling in colleges and taking out student loans in the victims’ names (in some instances, those whose identities are used are in on the scheme).

One of the boldest schemes in recent memory was uncovered last year, when the IRS discovered that hackers had breached a data retrieval tool that helps students filling out the Free Application for Federal Student Aid (FAFSA) access their tax records. The IRS concluded that the perpetrators used the online tool to access the tax records of about 100,000 people.

Prosecutors eventually indicted Taiwo K. Onamuti, 29, of Doraville, Georgia, and Muideen A. Adebule, 49, of Indianapolis, Indiana, alleging they used stolen identities to file 8,000 bogus tax returns that triggered $12 million in fraudulent refunds.

Although the the IRS Data Retrieval Tool is back online, new security measures can complicate the process of documenting your income when filling out the FAFSA or recertifying your income if you’re repaying loans in an income-driven repayment plan.

A longtime news reporter and editor, Matt Carter is out to help consumers find the information they need to make informed decisions about their personal finances. He's an avid producer and consumer of news and analysis about new business models and tools, market trends, and politics and regulations. Email: