Posted Date: August 31, 2018 

Subject: Active Phishing Campaign Targeting Student Email Accounts

Federal Student Aid (FSA) has identified a malicious phishing campaign that may lead to potential fraud associated with student refunds and aid distributions.

What is happening: Multiple institutions of higher education (IHEs) have reported that attackers are using a phishing email to obtain access to student accounts via the IHE student portal (see example phishing email below). The nature of the requests indicates the attackers have done some level of research and understand the schools’ use of student portals and methods. These attacks are successful due to student compliance in providing requested information and the use of just one factor for authentication. 

Upon gaining access to the portal, the attacker changes the student’s direct deposit destination to a bank account controlled by the attacker. As a result, FSA refunds intended for the student are sent to the attacker. FSA believes that attackers are practicing and refining the scheme on a smaller scale now and that this will emerge as a prominent threat against IHEs during periods when FSA funds are disseminated in large volumes.

Note: Any funds disbursed inappropriately may become the responsibility of the institution.

Example phishing email:

Why IHEs are vulnerable to this attack: The attackers are exploiting a common practice at many IHEs: the use of single-factor authentication to access institution systems. Single-factor authentication is the simplest method of authentication where a person uses only one credential to verify him or herself online; usually the one credential is a password matched to a username.

How to protect IHEs: FSA strongly encourages IHEs to strengthen their cybersecurity posture through the use of two-factor or multi-factor authentication processes. These types of authentication rely on a combination of factors, for example, username and password combined with a PIN or security questions or access through a secure, designated device.

If you believe your institution has fallen victim to an attack, report the incident immediately to [email protected] and [email protected]. Include the following:

• Name of the institution
• Date the incident occurred (if known)
• Date the incident was discovered 
• Copy of the phishing email (if available)
• Extent of the impact (number of students)
• Remediation status (what has been done since discovery)
• Institution point of contact

Suggested remediation steps if an institution falls victim to the attack:

• Temporarily freeze refund requests until the scope of the incident can be known. Note, refunds must still be provided within regulatory guidelines which may require a change in how impacted IHEs issue refunds, e.g. issue paper checks.
• Temporarily disable changes to direct deposits for refunds.
• Block IP addresses observed in institution logs related to the attack.
• Disable campus credentials or passwords for potentially affected students and require password resets.
• Perform additional forensic analysis on server and application logs from recent weeks.
• Notify all students, warning them of active phishing attempts and encourage them to be vigilant and careful about using links and entering personally identifiable information into websites.

FSA will continue to monitor this situation and will send out additional information as appropriate. That information may include additional examples of the phishing emails, training resources, and best practices about how to avoid falling victim to phishing attacks.

Thank you for your attention to this matter. FSA is committed to working with IHEs to thwart phishing attacks and protect student financial aid information. If you have any questions about the information included in this announcement, please contact [email protected].

Publication Date: 8/31/2018