Did you know that the U.S. Department of Education (ED) has informed the higher education community of a new, ongoing phishing e-mail campaign?  ED made this announcement in an Electronic Announcement on Friday, August 31, 2018.  The scam involves an attacker using a phishing e-mail by which the attacker attempts to obtain access to student accounts through an institution’s student portal.    
 
A phishing e-mail scam generally occurs when an attacker sends fraudulent e-mails to individuals with an intent to get the targeted individual to click on a link in the e-mail that “appears” to come from a legitimate source, for example, your institution.  Once the targeted individual clicks on the link, it provides access for the attacker to gain illegitimate access (or, fraudulent authorized access), after a student provides requested information to this otherwise unauthorized person or entity.
 
This current phishing scam ED has informed us of is targeting institutions that utilize their own student portals.  This would include institutions, for example, that allow students to access the institution’s secure Web site with a login ID and password to:

  • submit payments and forms,
  • review their student account status,
  • accept or decline financial aid award notifications,
  • provide direct deposit account information and instructions, etc.

 
Due to the apparent current limited scope of this phishing scam, it may not be one that impacts a large number of FAME clients currently.  Nevertheless, it is wise to be aware of this type of scam, and appropriately educate your students and staff of such threats, in general. 
 
In the example ED provides, attackers are targeting students to gain access to their student portal.  Once the students click on a link provided in the bogus e-mail, the attacker changes the student information to have any funds redirected to the attacker’s accounts.
 
ED states that the success of the attacks are due to students complying with the attacker’s request to click on a link in the e-mail. 
 
Another cause noted by ED is institutions’ use of just one factor for authentication (e.g., just a password, etc.).
 
As a matter of ongoing good policy and practice, institutions may consider the following:

  1. Educate students of the potential threat of phishing e-mail scams and give an example of how to identify an e-mail scam.  For example:
    1. Ensure the e-mail is from your authorized e-mail domain before clicking on any links contained in the e-mail.
    2. In most cases, the legitimacy of an e-mail sender’s address can be determined by utilizing the mouse to hover the cursor over the e-mail address name to ensure it shows the actual, correct e-mail address and e-mail domain of your institution.
  2. Encourage students to directly contact the appropriate office/contact person at your institution if any e-mail contains questionable requests or instructions (e.g., a request to send payment when the student is certain the account has been paid in full, or if information is requested that should not be, or that should not be requested a second time, etc.)
  3. As an institution, develop and implement a two-factor authentication policy for any access to student/institution-specific sensitive data (e.g., account information, e-mail passwords, sensitive personally identifiable information, etc.).

 
It is essential that you stay vigilant in the watch for and prevention of any successful attacks on your institution and students’ information.  ED states that any funds disbursed inappropriately due to such a phishing e-mail campaign “may become the responsibility of the institution.”  Therefore, we suggest that all institutions take steps appropriate for their own institution to alert students and employees of such threats, whether any yet have been encountered at your institution or not.
 
This material is presented for informational and educational purposes only and should not be considered to be giving legal advice.