Student Loan Forgiveness & The Phishing Problem: Why It’s More Prevalent than Ever

By Ayelet Eliezer

Last month, the White House announced the first step in their much-anticipated student loan forgiveness program. By completing a single application, up to 40 million Americans received the chance to apply for forgiveness and may receive up to $20,000 dollars in debt relief.

However, for as much promise as the program holds, alarms have been raised around possible scams against applicants. As detailed by CNN, both Biden officials and industry insiders are now fearful that the program’s rollout could lead to a massive surge in fraudulent scams, specifically, those that use nefarious tactics and lookalike sites to fool borrowers.

Already, some borrowers report receiving false student loan relief scams and misinformation in text messages, phone calls, and emails – leading to significant worry that the next few months could see a significant uptick in successful attacks and, further, the theft of borrowers’ confidential and valuable information.

Why Phishing

Currently, the most common scam used by criminals is phishing – tactics that spoof real websites or messages to trick users into divulging confidential information. These threats have increased significantly in previous years, as the financial sector saw 23.6% of all attacks come from phishing in Q1 2022, and in 2021 alone, consumers lost $43 billion to phishing scams.

Phishing is a targeted social engineering scam, one that preys on human nature to deceive consumers into making poor decisions. In situations like the student loan forgiveness application, a phishing site could impersonate the real Department of Education URL, causing borrowers to reveal sensitive and confidential data – such as their FSA log-in ID and password. Further, text messages and emails can be spoofed to appear as if they are coming from an official account, alongside a sense of urgency implying that a borrower will lose their status if they don’t act immediately. One example of a common phrase seen by borrowers has been this: “Please verify your student loan information now to maintain your eligibility for forgiveness.”

As a first step, the Biden administration has assured the public that they do not need to enter their FSA ID or upload documents to apply, and further, that they will never receive communications regarding forgiveness via phone or text. However, while this might help to heighten public awareness, it is very easy to accidentally reveal PII (Personal Identifying information), giving attackers a window to access systems and then continue to perpetuate financial and structural harm.

For a recent example of this, one needs to look no further than the Uber phishing event, where a single human weak point led to a leak that resulted in massive reputational harm for the company. In Uber’s case, the attacker managed to trick an upper-level employee into divulging their credentials through multiple MFA requests, which then led to the criminal accessing key internal systems. While it appears that the attacker was unable to view personal information for Uber’s user base, the company still faced significant backlash related to its security protocols, not to mention a lack of consumer trust that they can prevent further attacks.

What Can We Do?

In the case of phishing, there are several available tools to defend against attacks, and in the event of a successful breach, prevent further harm from taking place. One such solution is behavioral biometrics, which is a technology that uses AI and machine learning to monitor and create a behavioral profile for users so it can identify fraudulent, anomalous behavior in real-time. 

At its core, this technology creates a persona based on a user’s digital, physical, and cognitive behavior – analyzing device orientation, keystrokes, touchscreen activity, duration of a session, and more to recognize the user. It then uses this information to continuously monitor and verify genuine users based on the person’s activity on the device, or in the case of illegal activity, alert the bank to take action. For example, a consumer’s credentials might give criminals access to their financial institution. But with behavioral biometrics, they would quickly be identified before funds are transferred and lost, giving the bank a chance to stop the crime and alert the account owner and authorities.

When it comes to the student loan forgiveness program, it’s easy to see how behavioral biometrics would help individuals who may have been fooled by a phishing attack. The leaked or stolen information cannot be taken back, but any red flag activity could be identified, whether the user’s information was being used to open up new accounts, or a social engineering scam was underway in an attempt to access their current accounts and move funds. Institutions that leverage advanced technologies can quickly ascertain when it is not the legitimate user and take the appropriate steps.

 The Path Forward

The good news is that the Biden administration is paying attention. In addition to their announcements  regarding the application process, CNN reports that officials have also announced “ongoing and expanded efforts across the administration to combat scams and misinformation,” including “educating borrowers about how to protect themselves against scams and accelerating efforts to share scam complaints with states.”

Reportedly, this will include a “dos and don’ts” document outlining guidance for consumers to follow. Further, the administration is also coordinating efforts at the state and local levels to combat scams, with plans to use a social media campaign and the FTC’s consumer sentinel complaint network to report fraudulent activity.

As Biden’s student loan forgiveness program gets underway, it’s imperative that both individually and industry-wide, we all work together to stymie efforts to defraud common Americans. While phishing attacks represent one attack avenue for criminals, these tactics can lead to a larger fraud lifecycle and significant hardship down the line. The time is now to address these attacks head on.

Ayelet Eliezer is the SVP of Product Management at BioCatch.


  • Convergint Gives Back Globally, Celebrates 23rd Annual Social Responsibility Day

    Today, Convergint celebrates its 23rd Annual Convergint Social Responsibility Day, as nearly 10,000 colleagues across 220 global locations have the opportunity to spend the workday giving back to their local communities. This year’s efforts have resulted in a total payroll donation of more than $3 million and more than $500,000 in labor and equipment donations from Convergint colleagues, partners, and families. Additionally, 400 colleagues and partners will help complete the company’s largest STEP Up project to-date for the Douglas County School District in Castle Rock, Colorado. Read Now

  • 2024 Secure Campus Award Winners Announced

    Campus Security Today is pleased to announce the 2024 Secure Campus Award winners. Twenty-six companies are being recognized this year for products that help keep education and business campuses safe. Read Now

  • Making Safety and Security Intrinsic to School Design

    Public anxieties about school safety are escalating across the country. According to a 2023 Gallup report, 44% of parents fear for their child’s physical safety at school, a 10 percentage-point increase since 2019. Unfortunately, these fears are likely to increase if the incidence of school tragedies continues to mount. As a result, school leaders are now charged with two non-negotiable responsibilities. The first, as always, is to ensure kids have what they need to learn, grow, and thrive. Sadly, their second responsibility is to keep the children in their care safe from threats and physical danger. Read Now

  • Unlocking Peace of Mind

    In a perfect world, every school would have an unlimited budget to help secure their schools. In reality, schools must prioritize what budget they have while navigating the complexities surrounding school security and lockdown Read Now