A significant surge in phishing attacks has been observed targeting higher education institutions in the U.S., with cybercriminals exploiting academic trust, financial aid systems, and university login portals. According to a new report from Mandiant, this campaign has been ongoing since at least October 2022, with a sharp increase recorded in August 2024, coinciding with the start of the academic year.
Cybercriminals have devised three primary attack methods to exploit students, faculty, and staff:
- Google Forms Phishing Campaigns – Attackers use compromised university accounts to create fake Google Forms requesting sensitive information.
- Cloned University Login Pages – Cybercriminals replicate official university login portals and trick users into entering their credentials.
- Two-Step Phishing Targeting Staff & Students – Attackers first compromise faculty emails, then use them to send fraudulent job application forms to students.
These methods leverage timely academic themes such as financial aid verification, account security alerts, and urgent medical responses to deceive victims.
One campaign identified by Mandiant involved emails mimicking legitimate university communications, instructing students to verify their financial aid details via a malicious Google Form. The phishing emails contained a request to update financial information within 24 hours, warning of potential delays in receiving student funds. Once users submitted their credentials, attackers repurposed the compromised accounts to propagate further phishing attacks using university email infrastructure.
Another attack involved cloning university login pages, making them appear identical to official portals. These fake sites:
- Used JavaScript-based mobile detection to redirect mobile users to custom phishing domains.
- Hosted fake login forms to capture student and faculty credentials.
- Implemented real-time keylogging to instantly capture entered data
A two-step phishing campaign targeting university staff and students was observed by Google’s Workspace Trust and Safety team. Attackers initially send phishing emails to faculty and staff, designed to trick them into providing their login credentials to view a document about a raise or bonus.
These campaigns employed tactics to obfuscate malicious activity and increase perceived legitimacy, ultimately aiming to perform payment redirection attacks. Victims were tricked into revealing login credentials and financial information through various pretexts, including requests for school portal login verification, financial aid disbursement, refund verification, account deactivation, and urgent responses to campus medical inquiries.
Mandiant’s report highlights the growing threat of phishing attacks targeting the education sector. Universities and colleges are urged to implement robust security measures, including multi-factor authentication, employee training, and advanced email security solutions, to protect against these threats.
