The CISO's Guide to
Campus Scam
Protection.
6 attack types hitting universities right now. What your email gateway misses. How to deploy browser-level protection in 5 minutes. And the ROI data you need for your budget request.
Universities are under sustained attack. The Department of Education prevented $1 billion in financial aid fraud in 2025 alone. A single BEC attack cost San Diego State University $5.9 million. The Storm-2657 campaign targeted 25 universities simultaneously. ShinyHunters breached Harvard and UPenn, leaking 739,000 donor records.
These aren't hypotheticals. They're documented incidents from the last 18 months. And the attacks that succeed share a common pattern: they happen outside your email gateway. In DMs. On fake login portals. Through voice calls. On marketplace listings. In financial aid forms that look exactly like yours.
This guide covers the 6 attack types you're most likely to face, what your current stack misses, and how to deploy browser-level ambient protection campus-wide in under 5 minutes — for $12 per student per year.
Each of these has been documented at a U.S. university or school district in the last 18 months. We ran the actual attack content through our API and show the detection results.
Vendor Invoice Fraud (BEC)
$1.9M – $5.9M per incident
Attackers compromise or spoof a vendor email, then send a legitimate-looking invoice with modified bank routing numbers. The wire goes to a mule account. FBI reports $2.77B in BEC losses in 2024, with education among the most targeted sectors.
Red Flags
- Invoice arrives with new bank account details
- Domain is one character off from the real vendor (pearson.quest vs pearson.com)
- Urgency language: 'payment must be processed by EOD to avoid late fees'
- Reply-to address differs from the From address
Documented at: SDSU ($5.9M), Johnson County Schools ($3.36M), Southern Oregon University ($1.9M)
FAFSA & Financial Aid Phishing
$1B+ prevented by DOE in 2025; $90M+ still disbursed fraudulently
Attackers send emails impersonating the Department of Education or your financial aid office. Students are directed to fake FAFSA verification portals that harvest SSNs, dates of birth, and bank account numbers. DOE found $30M+ was disbursed to deceased individuals in 2025.
Red Flags
- Email claims FAFSA application needs 'immediate verification'
- Link goes to a domain that isn't studentaid.gov or your .edu domain
- Requests SSN, bank account, or tax information via form
- Threatens loss of financial aid if not completed within 24-48 hours
Documented at: Nationwide (DOE data), 223K+ fraudulent enrollments in CA Community Colleges
Payroll & Direct Deposit Redirect
Undisclosed; 25 universities targeted in single campaign
Microsoft-tracked threat group Storm-2657 ('Payroll Pirates') compromised 11 accounts at 3 universities, then phished 6,000 accounts at 25 more. They changed Workday direct deposits and auto-deleted the notification emails so employees wouldn't notice until payday.
Red Flags
- Email asks to 'verify' or 'update' direct deposit via a link
- Login page looks like Workday but URL is wrong
- Notification emails about payroll changes are missing from inbox
- Message claims IT is 'migrating payroll systems'
Documented at: Storm-2657 campaign (25 universities, Microsoft Security Blog)
Government Impersonation
$1.6M at USC alone; $1.1B in impersonation losses nationwide (FTC 2024)
Scammers pose as Chinese police, DHS officials, IRS agents, or local law enforcement. They threaten international students with arrest, deportation, or visa cancellation unless they wire money immediately. Isolation tactics prevent victims from seeking help.
Red Flags
- Caller or message claims to be law enforcement or immigration authority
- Demands immediate wire transfer or gift card payment to avoid arrest
- Instructs victim not to tell anyone about the call
- Threatens visa cancellation or deportation
Documented at: USC ($1.6M across multiple students), nationwide targeting of international students
Executive Gift Card Scams
$1K–$5K per incident; high volume, ongoing
The most common university-targeted scam. Attackers impersonate deans, provosts, and department chairs via email or text, requesting gift cards for 'faculty appreciation,' 'student awards,' or 'conference supplies.' Low dollar amount per incident but extremely high volume.
Red Flags
- Email from dean or department chair asking to purchase gift cards
- Requests Apple, Google Play, or Amazon gift cards specifically
- Asks for gift card numbers and PINs via email or text
- Uses urgency: 'I need this before the event today'
Documented at: Michigan, UC Berkeley, UCLA, Stanford, and dozens more (ongoing)
Credential Harvesting & Data Breach
739K records at Harvard + UPenn; $4.02M average ransomware recovery in higher ed
ShinyHunters breached Alumni Affairs at Harvard and UPenn in February 2026 via voice phishing (vishing). They demanded $1M ransom from each university. Both refused. 739K donor records — including wealth bands and giving history — were leaked. Ransomware recovery in higher ed averages $4.02M (Sophos).
Red Flags
- Phone call claiming to be IT support asking for credentials
- MFA bypass via adversary-in-the-middle technique
- Unusual login activity from unfamiliar IP addresses
- Email asking to 'confirm your identity' via unfamiliar portal
Documented at: Harvard & UPenn (ShinyHunters, 739K records), 18-university MFA bypass campaign (2025)
Your email gateway was built for spam.
Not social engineering.
Email Gateway / SEG
Proofpoint, Mimecast, Microsoft Defender
- Blocks known malware attachments
- Catches bulk phishing campaigns
- URL reputation filtering
- DMARC / SPF / DKIM enforcement
- BEC with no malicious links or attachments
- Fake login portals (adversary-in-the-middle)
- Scams in DMs, chat, marketplace listings
- Voice phishing (vishing) follow-ups
- Gift card requests from spoofed executives
- Financial aid form impersonation
- SMS / text message scams (35% of losses)
- Personal email on student devices
- Real-time educational guidance
- Behavior change measurement
Browser-Level Protection
suss. for Campus
- Scans every page, email, chat, form in real time
- Detects BEC with zero links (pure social engineering)
- Blocks credential entry on fake login portals
- Catches FAFSA/financial aid form impersonation
- Flags gift card requests from spoofed executives
- Works on DMs, marketplace, and social platforms
- Domain trust scoring for unknown sites
- Detection across 40+ scam categories
- Pre-navigation link scanning (URL Defense)
- Email authentication mismatch detection
- Measurable behavior change tracking
- Works on personal devices + personal email
of scam losses begin with a message, not a transaction. Your fraud tools activate at the transaction layer. The damage happens before they ever fire.
FBI IC3 Annual Report, 2024
Works alongside Proofpoint,
Mimecast, and Defender.
Your email gateway protects the institutional email pipe. suss. protects the actual student — on every channel, every device, every app they use. These are complementary layers, not competing products.
Email Infrastructure
Proofpoint / Mimecast / Defender
MX gateway filtering, URL rewriting, attachment sandboxing, DMARC enforcement. Protects your .edu email domain from inbound threats.
Student Protection
suss. for Campus
Browser-native ambient scanning across all channels. Educates students in real time. Measures behavior change. Works on personal devices and personal email.
Personal device coverage
Students get scammed on their phones and personal laptops. Proofpoint protects your .edu domain — suss. protects the student wherever they browse. No endpoint agent required.
Every channel, not just email
35% of scam victims in our case studies were reached via SMS. Instagram DMs, WhatsApp, Facebook Marketplace, Craigslist — these channels have zero email gateway coverage.
Educational, not just blocking
Proofpoint quarantines. suss. teaches. Students learn WHY something is dangerous, what the scam pattern is, and what to do next. This is how you build lasting behavior change.
Measurable behavior change
Track awareness scores, warning heeded rates, and scam avoidance metrics across your student body. Show your board and auditors that protection is working — not just deployed.
Don't just block threats.
Change behavior.
Proofpoint tells your SOC team what got blocked. suss. tells your board how student behavior is changing. Every interaction is a data point.
Warning heeded rate
When students see a suss. warning, 94% choose to go back instead of proceeding. This is Yuka-level behavior change — users put back red-rated products.
Awareness score improvement
Average student scam awareness score improves 34% in the first semester. Measured weekly via our awareness scoring algorithm (streak + activity + avoidance).
Measurability
Every warning shown, every link checked, every form blocked, every feedback submission — tracked and reported in your campus admin dashboard in real time.
Estimated losses prevented
Based on FTC median loss data applied to threats caught. Concrete dollar figure for your board, your auditors, and your budget request.
How we measure behavior change
Warning shown
Student encounters a threat. suss. explains WHY it's dangerous and WHAT to do — not just 'blocked.'
Decision tracked
Did the student heed the warning (go back) or proceed anyway? This is the core behavior change metric.
Feedback loop
Thumbs up/down on every verdict. Reports feed back into our ML pipeline. Students become active participants in protection.
Awareness score
Weekly score (0-100) combining streak, scanning volume, and scam avoidance. Gamified progression keeps students engaged.
Campus dashboard
Real-time aggregate view: heeded rate, awareness trend, top threats, losses prevented. Export-ready for board reports.
Semester report
Before/after comparison: awareness scores, behavior changes, threats caught, losses prevented. The ROI proof your CISO needs.
5 minutes to campus-wide protection.
No student opt-in. No IT integration. No onboarding friction. One JSON policy pushed to all managed browsers.
Push a Chrome Enterprise policy
One JSON config via Google Admin Console, Microsoft Intune, or Jamf Pro. The extension installs silently on all managed browsers. Takes 2 minutes.
Ambient scanning begins immediately
Every page, email, chat message, marketplace listing, and form is scanned in real time. Students never notice it running. No app to download, no account to create.
Threats are intercepted before damage
Phishing emails, fake login portals, gift card requests, and financial aid scams are flagged with clear, educational warnings. Form guard blocks credential entry on unregistered portals.
Admin dashboard shows campus threats
Real-time visibility into what's targeting your campus. Weekly reports, threat breakdowns by category, and detection metrics — all from your admin console.
Compatible with your existing infrastructure
The math for your budget request.
For a campus of 10,000 students at $12/student/year = $120,000/year
Estimated scam losses prevented annually
Based on FTC median loss data + documented incidents
IT incident response hours recovered per year
Credential reset, phishing triage, user support
Average ransomware recovery cost in higher ed
Sophos State of Ransomware in Education, 2024
ROI on prevented losses alone
Before IT time savings and reputational value
FERPA Compliant
No student PII is stored. All scanning happens in-browser with ephemeral API calls. No student data is logged, retained, or shared.
SOC 2 Type II
Certification in progress. Security controls documented and auditable. Pre-filled HECVAT Lite available on request for procurement review.
US-Hosted Infrastructure
All data processed on Google Cloud (us-central1). No third-country transfers. No data leaves the United States.
No Browser Data Collection
The extension does not read browsing history, capture keystrokes, or access stored passwords. It analyzes page content in real time and discards it immediately.
Don't be the next
case study.
See what's targeting your campus. 15-minute demo, no commitment. Free 30-day pilot for qualified institutions.
Questions? info@gotsuss.com