Protecting Students From Loan Disbursement Fraud With MFA
The increasing costs of higher education mean that more students are taking on more debt than ever before. Tuition costs have spiked over the last 30 years, leaving parents and students coming up short when looking to pay for higher education. There is currently over $1.56 trillion dollars in outstanding student loan debt in the U.S. In order to provide scale, StudentLoanHero points out that this is “$521 billion more than the total U.S. credit card debt.” For the class of 2018 alone, 69% of students graduated with some sort of debt, with an average debt amount of $29,800. Unfortunately, the rise of student debt has attracted and emboldened a variety of bad actors looking to steal funds as they pass to the enrolled individuals.
At the beginning of last school year, the Department of Education reported an increase in attempts to steal student loan disbursements. These attacks aim to redirect loan funds to a new direct deposit controlled by the bad actor. This shouldn’t come as a surprise, given the prevalence of identity theft within the credit card market; but many universities and students may be unequipped to recognize or thwart the potential attack.
Don’t worry, the first step in combating malicious activity is understanding how bad actors typically go about their dirty work. In order to illustrate how student loan disbursement is targeted, let’s review how the attack works logistically. Then, we can provide some insight into how the attack can be prevented.
Hack Phase 1: Phishing Students
The attack typically begins with a phishing email campaign targeted at the student body. Sophisticated attackers will have done their homework, so these emails usually reflect the communication aesthetic of the institution. The content of the emails will also often incorporate urgent or accusatory language. Late bills, missed payments, or incorrect banking information are all subjects used in phishing campaigns.
If a student is coerced or intimidated, they may quickly enter their credentials, FSA ID, or other critical piece of personal information. Students using mobile devices may not have access to see information that would help them spot a phish or may be more susceptible to snap decisions when entering credentials. The attacker can now move quickly to phase two.
Hack Phase 2: Access & Edit Student Deposit Accounts
There is often an area for a student to designate a direct deposit account for any loan amount that won’t be applied to tuition - accounts like this are the target of this attack. Now that the attacker has the credentials or personal information required to access the university’s student portal, they can log in to the portal and edit the student’s banking profile. The attacker changes the deposit information to an account within their control and waits for the disbursement to come through.
Solution: Proactive Prevention Through MFA
There are a couple of key ways to address the threat of loan disbursement fraud. The first is a strong MFA workflow. By challenging student access attempts with a second factor authentication, administrators reduce the chance that the login is compromised. If the attacker has phished the student’s credentials, they’d still need access to the student’s phone or second factor to complete the fraud.
Given the efficacy of MFA, the Department of Education specifically encourages institutions to “strengthen their cybersecurity posture through the use of two-factor or multi-factor authentication authentication practices.”
At Duo, we provide an MFA solution that is easy to implement for administrators and easy to use for students. It can protect any application, even customized on-premises applications, and students can use a variety of methods to provide a second factor. Don’t just take our word for it, institutions like Eastern Michigan University have all seen reductions in compromised accounts by deploying Duo.
A second way to address the loan disbursement threat is through phishing awareness. If students are trained to spot the telltale signs of a phishing campaign and given proper channels to report suspicious email activity, then the probability that they will be tricked by a phishing campaign diminishes. Effective reporting channels also allow IT administrators to investigate and potentially block malicious email domains.
Many institutions even set up a cybersecurity training day early in the school year. These dedicated days focus on best practice for individual security, how to avoid phishing attempts, and setting up tools like Duo or a password manager.
The challenge of dealing with loan fraud can seem daunting, but Duo can help prepare any university, and its students, to recognize and combat phishing.
Phishing: A Modern Guide to an Age-Old Problem
This guide gives you a look into:
-How phishing works, how it has evolved, and the new tactics used to appear legitimate to users.Download Free Guide