Carnegie Mellon University

Spear Phishing targets student financial aid accounts

November 03, 2020

FBI Warns of Widespread Compromises of Federal Student Aid Login Credentials via Spear Phishing

The Federal Bureau of Investigation (FBI) recently released a statement regarding an expected increase of spear phishing campaigns targeting university students attempting to steal federal student aid login credentials. Spear phishing is a type of targeted phishing email attack where a cybercriminal poses as a trusted organization in order to trick individuals into giving up financial or personal information such as account credentials. Spear phishing attacks can be hard to detect, especially when scanning emails quickly.

The Information Security Office (ISO) would like to remind students to remain vigilant to such spear phishing attacks especially during heavy processing times, such as at the beginning of semesters and when student refunds are distributed. The university enrollment Services department will only deposit directly to a student’s account when a refund is due to the student, or a special assistance is given such as the recent CARES grant.

The ISO recommends students implement the following best practices to ensure sensitive information is safe from compromise, and to help secure systems from potential cyber-attacks.

Learn to identify phishing emails. Phishing emails typically are disguised as a message from a reputable person or organization. Before responding to a suspicious email, be sure to check the message for the following phishing warning signs and learn more about phishing at Don’t Take the Bait: Phishing.

  • Sender email address does not match the display name.
  • The message conveys a sense of urgency.
  • The message contains a call-to action such as clicking a link, opening an attachment, replying or calling to verify or update sensitive information, or entering personal information like banking information or account username and password into an on-line form or application.
  • Contain odd or suspicious wording or requests.
  • Generic salutation and signature.

Register for 2-Factor Authentication. 2-Factor Authentication (2FA) adds an additional layer of security for your accounts. If a cybercriminal were able to steal your username and password, they would still need to have possession of your 2nd factor of authentication such as a smart phone device. CMU offers a free 2FA solution with DUO security. Start protecting your accounts with DUO and register to use 2fa!

 Where possible, enable bank change notifications when aid payments are directed to a new bank account. Bank notifications can protect students if banking detail information is changed for student loan disbursements. 

Report any suspicious email regarding financial aid payments. If unsure of the validity of an email, forward the message in question, along with the email headers to for a thorough analysis of the email.