US federal authorities have identified successful spearphishing campaigns directed at college and university students, especially during periods when financial aid funds are disbursed in large volumes.  In general, the spearphishing emails request students’ login credentials for the University’s internal intranet.  The cyber criminals then capture students’ login credentials, and after gaining access, change the students’ direct deposit destination to bank accounts within the threat actor’s control.


In February 2018, the FBI received notification of a spearphishing campaign targeting students at an identified University in the south eastern United States.[1]  The campaign occurred in January 2018 when an unidentified number of students attending the University received an email requesting their login credentials for the University’s internal intranet.  Using the University’s intranet portal, the cyber criminals accessed a third-party vendor that manages the disbursement of financial aid to students and changed the direct deposit information for 21 identified students to bank accounts under the cyber criminal’s control.  The threat actor stole approximately $75,000 from the 21 students. The student accounts were accessed by at least 13 identified US Internet Protocol (IP) addresses.

On 31 August 2018, the US Department of Education identified a similar spearphishing campaign targeting multiple institutions of higher education.  In this campaign, the cyber criminals sent students an email inviting them to view and confirm their updated billing statement by logging into the school’s student portal.  After gaining access, the cyber criminals changed the students’ direct deposit destinations to bank accounts under the threat actor’s control.

The nature of the spearphishing emails indicates the cyber criminals conducted reconnaissance of the target institutions and understand the schools’ use of student portals and third-party vendors for processing student loan payment information.  In addition, the timing of the campaigns indicates the cyber criminals almost certainly launched these campaigns to coincide with periods when financial aid funds are disseminated in large volumes.


Providers should implement the preventative measures listed below to help secure their systems from attacks:

  • Notify all students of the phishing attempts and encourage them to be extra vigilant
  • Implement two-factor authentication for access to sensitive systems and information
  • Monitor student login attempts from unusual IP addresses and other anomalous activity
  • Educate students on appropriate preventative and reactive actions to known criminal schemes and social engineering threats
  • Apply extra scrutiny to e-mail messages with links or attachments directed toward students
  • Apply extra scrutiny to bank information initiated by the students seeking to update or change direct deposit credentials
  • Direct students to forward any suspicious requests for personal information to the information technology or security department
  • For recent guidance on mitigation strategies against spearphishing and network infrastructure targeting,

Refer to the following joint technical alerts:

For questions or comments regarding this report, please contact the Lab directly by at 844-4-WAPACK (1-844-492-7225), or

[1] FBI PIN 20190207-001

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!