Scammers: 5 Admissions Techniques That Help Them + 7 That Stop Them
Preventing fraud is a significant challenge for most higher education institutions. In order for a bad actor to attempt student-related fraud, he/she must enter through the admissions process. In this article, we will discuss the impact of fraud, the costs, and how good (or bad) processes can affect an institution's success in this area.
Types of Fraud and Impact
In general, there are 3 different things that bad actors wish to accomplish when looking at this type of fraud:
- They want to create an identity for future nefarious activities
- They want to gain access and utilize resources that the institution provides to its students (most often, software subscriptions)
- They want to use a stolen ID to steal money from a victim or the institution
When accomplishing these goals, the institution pays a price:
- When a false identity is created and it is used in future attacks, the institution's reputation is affected. This could cause the institution's domain to be registered as untrustworthy (or a hacking site), but could also affect the reputation from a research perspective.
- When the institutions provide access to its resources for non-students, it directly hits the IT budget as it relates to software subscriptions.
- When the onboarding process is used to steal money from victims of identity theft, the institution may be the victim or may have to reimburse the actual victim when discovered. The costs for a institution with whom we're working with (a medium sized institution) is well over $100,000
Threat Vectors
There are 2 primary threat vectors by which this type of fraud is perpetrated.
- Bots that create and submit admissions applications. These bots do not utilize real identities; making up much of the content via rules. These attacks generally require little investment per attack by the bad actor, allowing for a high volume of attempts without needing a high success rate. This is the threat vector for creating false identities and stealing software subscriptions.
- Scams that utilize stolen identity information to navigate the admissions process, pay tuition, and request a refund. These attacks require much more investment per attack by the bad actor, but the rewards are much more significant when successful.
How a Bot Attack Develops
- A bot is taught how to begin an application, enter data, and submit it. In some circumstances, it may be sufficient for the bot to create a login to achieve its goals.
- Once the fake person / fake application is submitted, the person is matriculated into the student information system (or if the apply technology is the SIS, the student may not need to be matriculated).
- The onboarding process for the institution is triggered. This generally involves the following:
- A student ID and university email is created
- The student ID is provisioned to get access to other resources needed as a student at the institution (such as Microsoft 365)
- The university email can now be used for other scams or phishing attacks
- Subscriptions meant for students can now be used by other people
How an Identity Theft Attack Develops
- A bad actor gains access to the confidential identity information of a victim through other means
- He uses the victim's identity information to complete an application for admissions for the institution and submits it
- The application created by the bad actor is matriculated
- The bad actor could apply for financial aid if the compromised PII supports it
- The bad actor pays tuition and enrolls in classes. If financial aid is available, he/she uses that as in lieu of part (or all) of the tuition
- Prior to the drop date, the bad actor drops all courses and requests a refund to a payment method that's alternative to the method used to pay tuition
Note: that for certain types of financial aid (such as a pell grant), it is possible to receive the aid in a way that supports this type of attack.
How an institution's admissions process allows this
The following things within an admissions and enrollment process allow these types of attacks to be successful.
- The ease of account creation. When an account can be created in a manner that it can pass far enough into the admissions process to allow an attack; bots can be programmed for attacks. It is important to strike the right balance between making it easy for real prospective students to apply and making it difficult for bots to be successful.
- Automatic matriculation. For many institutions, such as community colleges, the more quickly that a candidate can be matriculated has a direct relationship to how likely he/she is to enroll. That is why many schools automatically matriculate submitted applications. This, however, triggers the processes to create a student id, create an email, and grant access to other resources.
- Shared credentials between application for admissions and SIS. This happens most often when the application for admissions exists as part of the student information system. When the credentials for a prospective student are kept in the same repository as active students, it complicates processes meant to control access; especially when automatic matriculation occurs at the institution.
- Refund policies that allow somebody to use a different payment method for a refund than that which was used for the original payment.
- Insufficient identity verification processes prior to matriculation and/or enrollment.
Best Practices
Here are some best practices in protecting yourself from attacks:
Bot-related Attacks
The best way to defeat bot related attacks is to make it too expensive to be worthwhile to attack your institution. Because the strategy for bots is to have a large number of very inexpensive attacks; strategies that make it more expensive for the bot while not making it more difficult for applicants is the best approach.
1. Require payment of an application fee up front.
This is only appropriate if you're charging an application fee. If the bot can't get the application to the point of matriculation without paying a fee, the institution won't be creating a student ID, creating an email, or performing other provisioning steps.
It is critical to request the application fee at the appropriate time. If you request it before creating a login to complete the application; you will be discouraging people from starting the application for admissions. Therefore, it is best to collect it when the application for admissions is complete and ready for submission.
If you have the ability to capture the application and payment outside of the student information system and only create him/her after the payment is received; this is the best way to accomplish this. This what our customers do.
2. Use a Captcha in order to start the admissions process
This is a common means by which institutions make it too difficult for a bot to start the process. It can be effective, but it also makes it much more difficult for real prospective students to get started. This is especially true for people with disabilities. If you're capturing the application fee up front, captcha's don't add any additional benefit.
3. Blacklist known domains of bots / scammers
This can decrease the bot traffic, but will not prevent them from using different domains (and must be known prior to being able to perform the blacklisting)
4. Require an email to be verified before an application can be submitted
This would involve the additional step in the application process to going to an email and then clicking a link to verify it. Although possible to develop a bot to do this; it does add costs that may cause somebody abandon attacking your institution for one that would be an easier target.
Identity Theft-related attacks
Because the scammer uses valid personal information from an identity theft victim; it is much easier to prevent the bad actor from receiving any benefit from the attack versus preventing the attack altogether. Therefore, controls over the refund process are the most effective means of protecting yourself:
1. Tighten the refund process
If a bad actor uses a stolen credit card to obtain a good or service, but must get a refund to the same stolen credit card; he/she gets no benefit from the attack. In many circumstances, a university uses a payment gateway that can't make this restriction -- but if it is possible; this is the best means of thwarting attacks. If a credit card is expired or locked (or a bank account number is locked); then many institutions require the person to come to the bursar's office to prove their identity and get a refund.
In a similar manner; restricting how refunds from payments made via financial aid is made will also address this.
2. Use an identity verification service
Another option is to use an identity verification service prior to issuing a refund to make a person prove his/her identity outside of what can generally be stolen by a scammer. This option can be expensive if used for all applicants ($1 - $2 per verification). However, if it is tied to the process for requesting a refund; then the costs might be appropriate to prevent the losses.
3. Verify identity manually
When an institution verifies residency or immigration status; part of the process is verifying the identity of the person to ensure that the supporting documents provided are theirs. Because scammers want to get through the process with as little attention as possible; they don't request in-state residency. However, the processes already exist; and an institution can use the same processes to verify identity prior to issuing a refund.