That Student In Your Community College Class Could Be A Bot
On the first day of spring term this year, an aeronautics professor came to administrator Laura Hope to share something suspicious: Most of the students in his virtual class weren’t participating at all.
Hope, the head of instruction at Chaffey College, a community college in Southern California’s Inland Empire, dove into the college’s records to find out why.
The shocking answer? These weren’t real students, but scammers likely out to bilk taxpayers of millions of dollars in financial aid. Faculty and staff caught onto the scam before any dollars went out, Hope said. If they hadn’t, about $1.7 million would have landed in the hands of fraudsters.
Chaffey is not the only California community college to report such a scam, according to a CalMatters investigation. Officials with the 116-college system say they are seeing a spike in cyberattacks since the pandemic, which they suspect is because the scammers are targeting federal COVID-19 relief grants along with traditional financial aid. At least 10 districts or individual colleges have told CalMatters they’ve had increases in fake applications, registrations, financial aid filings, or some combination of the three. The Chancellor’s Office estimates that about 20% of the traffic coming to the system’s online application portal is from bots and other “malicious” actors.
Bots are filling up classes, in some cases preventing real students from enrolling. And identifying and blocking the fake student accounts is taking up considerable staff time, college officials say. They say the system is being targeted partly because it is open enrollment and does not have an application fee.
“It’s a well-orchestrated, analytically led assault on the weaknesses in our system,” Hope said.
This week, the California Student Aid Commission told the Los Angeles Times it had identified more than 65,000 applications for aid from purported community college students that appear to be fake, lending credence to the idea that scammers are seeking to get their hands on state grants.
And in a memo to colleges Monday, the community college system’s vice chancellor for digital innovation and infrastructure, Valerie Lundy-Wagner, announced new security measures to combat the threat.
Scammers seek student email addresses, federal aid
While reports of fraud have increased recently, cyberattacks on the state’s community colleges aren’t new — and the perpetrators don’t necessarily have to be sophisticated hackers.
A quick search on YouTube shows countless videos detailing how to make fraudulent student accounts to get a .edu email address for free or discounted access to software, online shopping and digital music.
In a video from “Targetter,” a YouTuber who appears to be based in India, he walks his 70,000 viewers through the process of obtaining a .edu email using a bot downloadable from his account bio.
“It’s all automated, you don’t need to do anything,” the YouTuber says as code scrolls in a pop-up window. Another pop-up screen provides options to “enroll” at one of four listed California community colleges — Contra Costa College, Mt. San Jacinto College, San Francisco City College and Sacramento City College.
“All I have to do now is just sit back and relax,” he says as the bot populates a Contra Costa College application with fake personal information. Within seven minutes, “Targetter” had enrolled at Contra Costa College as Ivan N. Atkinson for the fall 2020 term.
In a follow-up video, he mentions that the bot is no longer functioning due to security updates to the community colleges’ website, but encourages viewers to make their own changes to the code.
“The thing about this is that it’s not hard to do,” said Nick Merrill, a cybersecurity research fellow at UC Berkeley. “The code is obviously floating around to do this to a handful of colleges.”
The influx of federal emergency aid and the shift to remote learning — which makes it easier for scammers to hide behind a screen rather than appear in person — have made the community college system even more attractive to bad actors, college officials say. That, coupled with college administrators’ desire to get the money out as soon as possible to students walloped by the pandemic’s economic effects, creates a tough balancing act for officials charged with protecting taxpayer money while doling out vital aid.
Across three rounds of federal emergency relief, California’s community colleges will receive at least $4.3 billion, of which $1.75 billion will go directly to students.
The tell-tale signs of fraud at Chaffey were evident as soon as Hope started investigating the professor’s concerns. One so-called student enrolled in an aeronautics and nursing course. “Those are not programs that cross over,” Hope said. Those classes do, however, have high unit loads, moving students closer to becoming eligible for the maximum amount of financial aid.
Officials at the college found roughly 500 accounts they deemed were fake – and their student data profiles carried similar red flags. One giveaway: the applications that these students submitted came from the same IP address – an online identifier that shows where someone is located. Many of the applications had the same email addresses. Few had corresponding phone numbers.
Other colleges reported dramatic surges in applications during the 2020-21 school year, despite an eventual drop in enrollment. “We get about 33,000 applications a year. This year we got 75,000,” said Brandon Moore, executive dean of institutional effectiveness at Mt. San Jacinto College in Riverside County. ”Most of those are not real students.”
The Contra Costa Community College District flagged nearly 40,000 fake applicants in fall 2020, up from 12,000 in 2019. Other colleges that identified false accounts during the pandemic include College of the Sequoias, Citrus College, Compton College, College of the Siskiyous, Southwestern College and Ohlone College, CalMatters found.
In some cases, college officials identified fraud right before they would have disbursed financial aid — like at Fullerton College, which had to stop payment on more than $1 million in Pell Grants this summer after identifying some 3,000 fake student accounts, said financial aid director Greg Ryan.
The Peralta Community College District also reversed $4,800 in fraudulent summer financial disbursements after discovering more than 125 fake applications, according to a report from the district’s chancellor’s office to its board of trustees.
Impact on real students
In Kathryn Maurer’s anthropology class at Foothill College in Silicon Valley, 23 out of 50 students were fake, filling the class right away. Because community college classes are open access, said Maurer, she couldn’t remove students from the roster until the start of class when students were able to use Canvas, the college’s online learning system.
Even then, there was some participation in class. She was suspicious of some “students” because they would only answer the first question on a quiz. In an assignment asking students to introduce themselves, Maurer said that some of the posts listed the exact same information with only the name and place changed.
But by the time fraudulent accounts were purged, it was too late for real students to enroll, Maurer said.
Students walk the campus of Foothill College in Los Altos Hills. The community college has tightened security after seeing an increase in fraudulent applications for financial aid. Photo courtesy Foothill College
Fake students accounted for 2-3% of Foothill’s enrollment in the past two quarters, said Anthony Cervantes, the dean of admissions. The college has put in hundreds of hours investigating potential fraud, Cervantes said, and real students sometimes get caught in the dragnet.
“We’re trying to get back to those students that are real as soon as possible,” he said. “We’re trying to prevent enrollment by these fraudulent groups, so they don’t take the seats out from students.”
After identifying 1,600 fake federal financial aid applications within the last two quarters — which likely involves identity theft as it requires a real Social Security number — the college started requiring suspicious accounts to digitally upload an ID to prove they are real students. Most fraudsters disappear at that point, college officials said.
Administrators at several colleges said they’re worried about the potential impact of fraud on real students when the community college system as a whole is battling enrollment declines. “To know that we possibly disappointed students or turned students away of course doesn’t feel good, and especially when enrollment is more precious than ever,” Hope said.
A national pattern of cyberattacks
The scams may be part of a national trend; cyberattacks on U.S. educational institutions have increased 15% since the beginning of 2021, according to data from Check Point, a cybersecurity firm with a research arm.
The Chancellor’s Office has reported the uptick in fraud to the U.S. Department of Education’s Office of the Inspector General, said spokesperson Paul Feist. A spokesperson for the Inspector General said that it can confirm an increase in fraud reporting for both the California community college system and those in other states, but is “unable to provide any additional data as it could relate to current cases.”
Chancellor Eloy Ortiz Oakley told the Los Angeles Times Monday he was “alarmed” by the threat.
“There’s lots of unscrupulous players right now trying to access and exploit benefits, not unlike what’s happened with unemployment insurance and any number of other benefits that have been made available recently because of the pandemic,” Oakley said. “But I’m confident that the colleges have been able to identify the activity and are working to mitigate the risk to campuses.”
Creating a fake student account is just the first step. For fraudsters to breach the gates and run off with federal student aid, a lot has to happen.
First, they have to bypass the filters that colleges have been urged by the Chancellor’s Office to set up to detect suspicious accounts. Next, the scammers would have to regularly participate in classes to avoid the scrutiny of professors who are trained to look out for suspicious online student profiles that don’t engage in class material.
Then there’s making it past the financial aid office. Under the Biden administration, the federal COVID relief aid is open to virtually any student, even those without financial aid applications on file. At some community colleges, students must pick up grant checks in person using a federal or state ID that matches their student profile. But others have waived that step during the pandemic.
Fighting the fraud
Faculty play a key role in combating fraud, because they are responsible for dropping students from class if they aren’t participating by about three weeks into the term, when the college does a formal enrollment count, known as census.
“It is vital that faculty remove non-attending students by the Census date to significantly reduce the likelihood that financial aid is disbursed fraudulently,” wrote Lundy-Wagner, the vice chancellor, in another memo to colleges in June.
But with much instruction still taking place online, that can be difficult to monitor, say instructors like Maurer, who sometimes teaches as many as 200 students each quarter.
“This should not be on the faculty’s plate,” she said.
In the past, much of the burden to detect fraud has fallen on individual colleges. But this summer, the California Community Colleges Chancellor’s Office rolled out a new bot detector to catch malicious traffic to its application website.
Starting this month, any student accounts associated with fraudulent activity will be suspended. The statewide college system will also begin requiring campuses to submit monthly reports detailing suspected and confirmed registration and financial aid fraud, including any dollars erroneously paid to scammers.
By October, students will be required to use multi-factor authentication that requires confirmation of an email or phone number before they can complete an application.
Patrick Perry, the California Student Aid Commission’s director of policy and research, described the state’s response so far as a “success story.”
Despite the surge in attempted fraud, “the system worked as it should: numerous folks at numerous levels caught this and figured it out,” he said.
But Merrill, the cybersecurity expert, said an ongoing, centralized defense by the community college system would be important to stem the tide of bot students.
“The only way to make this scale is to use the same repository, the same tools across many colleges and many applications,” he said.