FBI Cyber Bulletin: Spearphishing Campaigns Against Students at Multiple Universities

The following bulletin was obtained from the public website of a university.

Cyber Criminals Conducting Successful Spearphishing Campaigns Against Students at Multiple Universities

Page Count: 4 pages
Date: February 7, 2019
Restriction: TLP Green
Originating Organization: Federal Bureau of Investigation, Cyber Division
File Type: pdf
File Size: 403,250 bytes
File Hash (SHA-256): 8E575CD45CE264ECC3148B24B334B70A980AF3654480B0CE1F66BB1D77F6C1F5

Download File

The FBI has identified successful spearphishing campaigns directed at college and university students, especially during periods when financial aid funds are disbursed in large volumes. In general, the spearphishing emails request students’ login credentials for the University’s internal intranet. The cyber criminals then capture students’ login credentials, and after gaining access, change the students’ direct deposit destination to bank accounts within the threat actor’s control.


In February 2018, the FBI received notification of a spearphishing campaign targeting students at an identified University in the south eastern United States. The campaign occurred in January 2018 when an unidentified number of students attending the University received an email requesting their login credentials for the University’s internal intranet. Using the University’s intranet portal, the cyber criminals accessed a third-party vendor that manages the disbursement of financial aid to students and changed the direct deposit information for 21 identified students to bank accounts under the cyber criminal’s control. The threat actor stole approximately $75,000 from the 21 students. The student accounts were accessed by at least 13 identified US Internet Protocol (IP) addresses.

On 31 August 2018, the Department of Education identified a similar spearphishing campaign targeting multiple institutions of higher education. In this campaign, the cyber criminals sent students an email inviting them to view and confirm their updated billing statement by logging into the school’s student portal. After gaining access, the cyber criminals changed the students’ direct deposit destinations to bank accounts under the threat actor’s control.

The nature of the spearphishing emails indicates the cyber criminals conducted reconnaissance of the target institutions and understand the schools’ use of student portals and third-party vendors for processing student loan payment information. In addition, the timing of the campaigns indicates the cyber criminals almost certainly launched these campaigns to coincide with periods when financial aid funds are disseminated in large volumes.


The FBI recommends providers implement the preventative measures listed below to help secure their systems from attacks:

  • Notify all students of the phishing attempts and encourage them to be extra vigilant
  • Implement two-factor authentication for access to sensitive systems and information
  • Monitor student login attempts from unusual IP addresses and other anomalous activity
  • Educate students on appropriate preventative and reactive actions to known criminal schemes and social engineering threats
  • Apply extra scrutiny to e-mail messages with links or attachments directed toward students
  • Apply extra scrutiny to bank information initiated by the students seeking to update or change direct deposit credentials
  • Direct students to forward any suspicious requests for personal information to the information technology or security department

Share this: