There’s a rising trend that’s been especially scary for community colleges lately, beyond declining enrollments: “ghost students.”
Fraudsters are using bots in an attempt to steal community colleges’ financial aid, gumming up their easy-to-enroll admissions systems and wasting human capital.
When courses moved online during the pandemic, scammers flooded community colleges with bots, or automated software applications, to fraudulently enroll in courses and interact with course materials and professors until the college issued a financial-aid check.
In 2021, the Peralta Community College District in California doled out $179,000 to more than 3,000 fraudulent applicants. Last spring, 29 fake students stole more than $22,418 in Pell Grant funds from the City College of San Francisco.
And almost 460,000 applications, or a fifth of those submitted to the California Community Colleges system this year, were fraudulent, according to an investigation by the San Francisco Chronicle.
Across the nation, Des Moines Area Community College, Portland Community College, and Salt Lake Community College have also been victims of such scams.
Because community colleges prioritize accessibility, their admissions processes are easy. But that makes them especially vulnerable to fraud, said Nick Merrill, a lecturer specialized in cybersecurity for the University of California at Berkeley’s School of Information.
Community colleges are now training their staffs to better detect fraud, and making changes in admissions. But with this could come increased barriers to enrollment, Merrill said.
The Department of Education’s Office of Inspector General said in a statement that it is investigating the phenomenon.
“Fighting federal student aid fraud — in any form — has always been a top concern and priority of the OIG,” the statement read. “The OIG can confirm that we are conducting an investigation, but that is all we can say at this time as per our policy, we do not discuss details of our ongoing work.”
Open Access, but at What Cost?
Community colleges are especially vulnerable to fraud because of their open-access model, meaning anyone with a high-school diploma or equivalent can enroll as a student. The scams are known as “sybil attacks,” where fraudsters generate many false identities to “overwhelm the system,” Merrill said.
He estimates attackers are looking for two factors: “clean email addresses,” or those with a domain of .edu, and colleges with access to a VPN, or virtual private network. Because these email addresses aren’t booted out by spam filters, the capacity to create multiple accounts is easier.
When connected to a college’s VPN, a fraudster could avoid getting blocked and make “more-targeted attacks” like data exfiltration or ransomware, Merrill explained.
The scam is so ubiquitous that anyone can go to YouTube and find hundreds of videos on how to obtain a college email address and enroll using a bot.
In one video, sent to The Chronicle, a person shows viewers how to connect a United States-based IP address to a VPN, generate a fake legal name and information for a student (including an address, phone number, and Social Security number), and successfully enroll at Des Moines Area Community College. The video, and many like it, can still be found online.
To combat fraud, Merrill said, colleges should “increase the barrier and decrease the reward.”
This could mean verifying admitted students’ identity in person or by mail. Merrill suggested colleges could stop providing VPN access and .edu domains in order to make institutions a “less-tempting target.”
“There is an efficient market for shenanigans,” Merrill said. “If you have these kinds of assets that are valuable to offer and the barrier to getting them is sufficiently low, you will be a target.”
Combating Fraud
Paul Feist, the vice chancellor for communications for the California Community Colleges system, said a revamped application system will begin this fall.
“People are trying to game the system and use technology,” Feist said. “We’re not going to let our guard down at all.”
Melissa Villarin, a spokesperson for the system’s Chancellor’s Office, said the system has implemented “layered security tools, which are continually improving” to detect fraud. The office also provided “early notification to colleges” of students who are identified as potentially fraudulent.
Last year, Des Moines Area Community College began calling all of its enrolled students to verify their identities. Erica Spiller, vice president for enrollment services, said this process has added 10 to 15 calls a day for the district’s recruitment and admissions team.
“It’s a lot of work and a lot of resources to do that. It’s both a challenge and an opportunity,” Spiller said. “It’s a challenge to commit that amount of time and energy.”
Des Moines Area Community College found that 6 percent of its applications were fraudulent last fall. “In the vast majority of cases,” fraudsters were identified and stopped before receiving aid, and about 1,200 applications were denied due to fraud, the college said. Fraudulent applications decreased to 2 percent the following semester. In July, the college estimated that it identified about 15 fraudulent applications a day.
Spiller said fraudsters were primarily after financial aid, using Social Security numbers and generating random, yet valid, information to get through the admissions process. Some ghost students were enrolled in classes and submitted coursework.
In the spring, however, Spiller said fraudsters targeted student-related retailer discounts. The college discovered scammers were enrolling to get free .edu email addresses, a tactic they could learn from a quick YouTube search.
Des Moines has since adopted a new software system to alert the office about fraudulent applications.
At Portland Community College, administrators identified around 29,000 fraudulent applications in 2021. Bridget Jones, the college’s director of admissions and recruitment, said those numbers have steadily declined this year, with fewer than 1,500 per semester.
What contributed to such a significant decline? Jones said it was all “person power.” But in order to verify every student, Jones said the college has had to slow down its admissions process for students. Additionally, Portland has implemented systemwide training focused on documenting patterns in ghost students.
“We’ve put [a lot of person power] behind actually reviewing applications and looking for several checks and balances,” Jones said. “We’ve also worked in a delay to admitting students. It’s not just an automatic process … our processing staff has a little bit more room to go through the application and look for different indicators that something might be fraudulent.”