School may be in session for your local cyber adversary.
Malicious actors are going back to school…not to brush up on their skills, but to try to defraud the universities and colleges they enrolled in using fake or stolen identities.
The fraudsters in these scenarios are known as “ghost students,” and they have become a costly problem for some post-secondary institutions. Earlier this year, the College of Southern Nevada claimed it lost roughly $7.5 million in federal aid because of ghost students. CalMatters reported that California community colleges have distributed over $5 million in federal Pell Grants to ghost students, or “Pell runners,” since fall 2021.
Mike Cook, head of fraud insights at Socure, which handles digital identity verification, told IT Brew that universities have begun to seek out his company’s help to address the problem. Cook, who says he has examined college admission data from dozens of colleges, said the scheme is currently a “pervasive” problem. The bad actors posing as students fail to show up to class or will leave once they collect their financial aid, leading to the ghost student moniker.
“They’ll show up. It may be a chat bot, it might be deepfake, but they’ll show up to class. They will do an assignment, which is generally AI-created,” Cook said. “But they’ll do just enough to where they get paid, and then they’re gone.”
IT Brew went into detail with Cook about the phenomenon of ghost students and the behaviors associated with them.
These responses have been edited for length and clarity.
What types of schools or universities are most susceptible to ghost students?
All of them. So, everybody is going to get attacked. That’s just the nature of fraud. The ones that are successful in making sure that they don’t put money in those pockets, and they are making sure they put the money in the right students’ pockets, are those that have the right technologies in place, which many of the university systems don’t have. They’re kind of older systems. They weren’t getting attacked by fraudsters this way. And again, think about AI. It’s relatively new. Fraudsters are using it. I think they’re doing a pretty good job using AI. And so, this is a new attack vector for them. And so the universities weren’t prepared, and still, many of them are not.
What’s the motive of the malicious actor that is pretending to be a ghost student?
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
I believe it’s financially motivated. Some people have talked about [the adversary] getting the .edu email, and with that comes certain privileges. But I don’t think those are the main things. I do think it’s all financially motivated.
How do ghost students impact actual students at universities?
Well, it takes space. Universities only have so many people, and they only have so many classes. [Imagine] you’re two years into a two-year degree and you have to take a certain class, and it’s all booked up. What are you going to do? So, it really does impact students’ ability to be admitted and to take a class. It probably hurts the instructors because that’s got to be a bummer that 20% of people just all of a sudden don’t show up anymore.
Are there any stats that you’ve encountered on this topic that stand out?
One of the things that stood out for me…is that the names are all formal names. That’s what I noticed. I’m going through and I’m looking at the data, and I mean all the data, thousands and thousands of records, and I’m noticing “Michael,” “Michael,” “Michael.” I’m noticing “David,” “David,” “David,” “David,” “David”...It was interesting how they’re all formal names. So, either they stole a breached file that was from an organization that gathers formal names—maybe like a government source—and they were using these formal names in the advanced admissions process.
What are some ways that universities and colleges can catch ghost students in their systems?
A lot of these [schools] are online. When you’re online, it’s good and bad. You don’t get to see the person. They’re not right in front of you. There’s not cameras all over the place, which kind of scares fraudsters. But what they do have is a digital footprint. And what we’re finding with these bad actors is…because they’re using a proxy, it looks like they’re trying to come in from California, even though it could be in Russia or China. And what we’ll see is that, using that device information from the applicant, will tell you certain times that, “Oh, hey, this attack is coming from Russia, even though it looks like it’s here in California.”...The most important thing that the universities can do is scale up their fraud operations. It comes down to checking admissions in real time and stopping those guys.