The FBI is warning universities across the nation of widespread “spear phishing” attacks designed to steal federal tuition aid from students.
Unlike regular phishing emails, which target people with generic language such as “Dear bank customer,” spear phishing targets a particular individual with highly personalized messages that often seem to come from trustworthy email accounts.
Criminals have been launching these attacks against financial-aid recipients since at least 2018, securing their login credentials and using them to reroute aid payments from student accounts to criminal accounts.
Spear phishing emails can look genuine
Spear-phishing attacks can be hard to detect, especially if you’re scanning emails quickly. They appear to come from trusted domains such as @rutgers.edu. They read well. They use accurate personal information about you — the sort of information that the supposed sender would know — to “prove” their legitimacy. In many instances, they claim to come from a person in authority, like a dean or a lending officer.
How students can protect themselves
With the incidence of such attacks rising, the FBI is urging students to take several steps to secure their payments:
- Exercise increased vigilance. Hover over any links in emails with your mouse to see if you are being redirected outside of the expected domain (such as rutgers.edu or yourbank.com). Mobile device users can preview link addresses by clicking and holding on links.
- If the link goes to an unfamiliar domain, DO NOT CLICK ON THE LINK, especially if you have not verified the source of the email.
- Never provide your Rutgers credentials (NetID or password) to any source via email. Genuine university staffers will NEVER ask for your password.
- Report any suspicious email to firstname.lastname@example.org.
- Where possible, enable notifications when aid payments are directed to a new bank account.
More information about phishing
Looking for more information to protect yourself from phishing scams? Check out these resources:
- Phish Bowl webpage with examples and videos of phishing scams
- Tips to avoid phishing and identity theft
- Reporting suspected scams