Student Loan Forgiveness & The Phishing Problem: Why It’s More Prevalent than Ever

By Ayelet Eliezer

Last month, the White House announced the first step in their much-anticipated student loan forgiveness program. By completing a single application, up to 40 million Americans received the chance to apply for forgiveness and may receive up to $20,000 dollars in debt relief.

However, for as much promise as the program holds, alarms have been raised around possible scams against applicants. As detailed by CNN, both Biden officials and industry insiders are now fearful that the program’s rollout could lead to a massive surge in fraudulent scams, specifically, those that use nefarious tactics and lookalike sites to fool borrowers.

Already, some borrowers report receiving false student loan relief scams and misinformation in text messages, phone calls, and emails – leading to significant worry that the next few months could see a significant uptick in successful attacks and, further, the theft of borrowers’ confidential and valuable information.

Why Phishing

Currently, the most common scam used by criminals is phishing – tactics that spoof real websites or messages to trick users into divulging confidential information. These threats have increased significantly in previous years, as the financial sector saw 23.6% of all attacks come from phishing in Q1 2022, and in 2021 alone, consumers lost $43 billion to phishing scams.

Phishing is a targeted social engineering scam, one that preys on human nature to deceive consumers into making poor decisions. In situations like the student loan forgiveness application, a phishing site could impersonate the real Department of Education URL, causing borrowers to reveal sensitive and confidential data – such as their FSA log-in ID and password. Further, text messages and emails can be spoofed to appear as if they are coming from an official account, alongside a sense of urgency implying that a borrower will lose their status if they don’t act immediately. One example of a common phrase seen by borrowers has been this: “Please verify your student loan information now to maintain your eligibility for forgiveness.”

As a first step, the Biden administration has assured the public that they do not need to enter their FSA ID or upload documents to apply, and further, that they will never receive communications regarding forgiveness via phone or text. However, while this might help to heighten public awareness, it is very easy to accidentally reveal PII (Personal Identifying information), giving attackers a window to access systems and then continue to perpetuate financial and structural harm.

For a recent example of this, one needs to look no further than the Uber phishing event, where a single human weak point led to a leak that resulted in massive reputational harm for the company. In Uber’s case, the attacker managed to trick an upper-level employee into divulging their credentials through multiple MFA requests, which then led to the criminal accessing key internal systems. While it appears that the attacker was unable to view personal information for Uber’s user base, the company still faced significant backlash related to its security protocols, not to mention a lack of consumer trust that they can prevent further attacks.

What Can We Do?

In the case of phishing, there are several available tools to defend against attacks, and in the event of a successful breach, prevent further harm from taking place. One such solution is behavioral biometrics, which is a technology that uses AI and machine learning to monitor and create a behavioral profile for users so it can identify fraudulent, anomalous behavior in real-time. 

At its core, this technology creates a persona based on a user’s digital, physical, and cognitive behavior – analyzing device orientation, keystrokes, touchscreen activity, duration of a session, and more to recognize the user. It then uses this information to continuously monitor and verify genuine users based on the person’s activity on the device, or in the case of illegal activity, alert the bank to take action. For example, a consumer’s credentials might give criminals access to their financial institution. But with behavioral biometrics, they would quickly be identified before funds are transferred and lost, giving the bank a chance to stop the crime and alert the account owner and authorities.

When it comes to the student loan forgiveness program, it’s easy to see how behavioral biometrics would help individuals who may have been fooled by a phishing attack. The leaked or stolen information cannot be taken back, but any red flag activity could be identified, whether the user’s information was being used to open up new accounts, or a social engineering scam was underway in an attempt to access their current accounts and move funds. Institutions that leverage advanced technologies can quickly ascertain when it is not the legitimate user and take the appropriate steps.

 The Path Forward

The good news is that the Biden administration is paying attention. In addition to their announcements  regarding the application process, CNN reports that officials have also announced “ongoing and expanded efforts across the administration to combat scams and misinformation,” including “educating borrowers about how to protect themselves against scams and accelerating efforts to share scam complaints with states.”

Reportedly, this will include a “dos and don’ts” document outlining guidance for consumers to follow. Further, the administration is also coordinating efforts at the state and local levels to combat scams, with plans to use a social media campaign and the FTC’s consumer sentinel complaint network to report fraudulent activity.

As Biden’s student loan forgiveness program gets underway, it’s imperative that both individually and industry-wide, we all work together to stymie efforts to defraud common Americans. While phishing attacks represent one attack avenue for criminals, these tactics can lead to a larger fraud lifecycle and significant hardship down the line. The time is now to address these attacks head on.

Ayelet Eliezer is the SVP of Product Management at BioCatch.


  • Expanding Mobile Access Credentials

    The new academic year is now kicking into high gear at colleges and universities, and on many campuses, students were welcomed this fall with the added convenience and security of mobile access credentials. It is a trend that has become more of an expectation than a surprise in the world of higher education as the demand for advancements in electronic access control (EAC) like mobile credentials continues to grow. Read Now

  • New York School District Selects AtlasIED’s IPX Technology for Modernization Initiative

    The North Syracuse Central School District (NSCSD), a K-12 public school district in Central New York state, serves the communities of North Syracuse, Clay, Cicero, Bridgeport, and Mattydale. With 11 elementary, middle, and high schools, the district covers almost 90 square miles and has 7,792 students and approximately 700 teachers. With some of its school buildings over 60 years old, the district needed to renovate many of them, some more urgently than others. As part of the process, district administrators and staff reevaluated all infrastructure elements and their approach to campus safety, selecting AtlasIED IPX technology to modernize their intercom, audio announcements, and emergency communications systems. Read Now