The CISO's Guide to
Campus Scam
Protection.
6 attack types hitting universities right now. What your email gateway misses. How to deploy browser-level protection in 5 minutes. And the ROI data you need for your budget request.
Universities are under sustained attack. The Department of Education prevented $1 billion in financial aid fraud in 2025 alone. A single BEC attack cost San Diego State University $5.9 million. The Storm-2657 campaign targeted 25 universities simultaneously. ShinyHunters breached Harvard and UPenn, leaking 739,000 donor records.
These aren't hypotheticals. They're documented incidents from the last 18 months. And the attacks that succeed share a common pattern: they happen outside your email gateway. In DMs. On fake login portals. Through voice calls. On marketplace listings. In financial aid forms that look exactly like yours.
This guide covers the 6 attack types you're most likely to face, what your current stack misses, and how to deploy browser-level ambient protection campus-wide in under 5 minutes — for $12 per student per year.
Each of these has been documented at a U.S. university or school district in the last 18 months. We ran the actual attack content through our API and show the detection results.
Vendor Invoice Fraud (BEC)
$1.9M – $5.9M per incident
Attackers compromise or spoof a vendor email, then send a legitimate-looking invoice with modified bank routing numbers. The wire goes to a mule account. FBI reports $2.77B in BEC losses in 2024, with education among the most targeted sectors.
Red Flags
- Invoice arrives with new bank account details
- Domain is one character off from the real vendor (pearson.quest vs pearson.com)
- Urgency language: 'payment must be processed by EOD to avoid late fees'
- Reply-to address differs from the From address
Documented at: SDSU ($5.9M), Johnson County Schools ($3.36M), Southern Oregon University ($1.9M)
FAFSA & Financial Aid Phishing
$1B+ prevented by DOE in 2025; $90M+ still disbursed fraudulently
Attackers send emails impersonating the Department of Education or your financial aid office. Students are directed to fake FAFSA verification portals that harvest SSNs, dates of birth, and bank account numbers. DOE found $30M+ was disbursed to deceased individuals in 2025.
Red Flags
- Email claims FAFSA application needs 'immediate verification'
- Link goes to a domain that isn't studentaid.gov or your .edu domain
- Requests SSN, bank account, or tax information via form
- Threatens loss of financial aid if not completed within 24-48 hours
Documented at: Nationwide (DOE data), 223K+ fraudulent enrollments in CA Community Colleges
Payroll & Direct Deposit Redirect
Undisclosed; 25 universities targeted in single campaign
Microsoft-tracked threat group Storm-2657 ('Payroll Pirates') compromised 11 accounts at 3 universities, then phished 6,000 accounts at 25 more. They changed Workday direct deposits and auto-deleted the notification emails so employees wouldn't notice until payday.
Red Flags
- Email asks to 'verify' or 'update' direct deposit via a link
- Login page looks like Workday but URL is wrong
- Notification emails about payroll changes are missing from inbox
- Message claims IT is 'migrating payroll systems'
Documented at: Storm-2657 campaign (25 universities, Microsoft Security Blog)
Government Impersonation
$1.6M at USC alone; $1.1B in impersonation losses nationwide (FTC 2024)
Scammers pose as Chinese police, DHS officials, IRS agents, or local law enforcement. They threaten international students with arrest, deportation, or visa cancellation unless they wire money immediately. Isolation tactics prevent victims from seeking help.
Red Flags
- Caller or message claims to be law enforcement or immigration authority
- Demands immediate wire transfer or gift card payment to avoid arrest
- Instructs victim not to tell anyone about the call
- Threatens visa cancellation or deportation
Documented at: USC ($1.6M across multiple students), nationwide targeting of international students
Executive Gift Card Scams
$1K–$5K per incident; high volume, ongoing
The most common university-targeted scam. Attackers impersonate deans, provosts, and department chairs via email or text, requesting gift cards for 'faculty appreciation,' 'student awards,' or 'conference supplies.' Low dollar amount per incident but extremely high volume.
Red Flags
- Email from dean or department chair asking to purchase gift cards
- Requests Apple, Google Play, or Amazon gift cards specifically
- Asks for gift card numbers and PINs via email or text
- Uses urgency: 'I need this before the event today'
Documented at: Michigan, UC Berkeley, UCLA, Stanford, and dozens more (ongoing)
Credential Harvesting & Data Breach
739K records at Harvard + UPenn; $4.02M average ransomware recovery in higher ed
ShinyHunters breached Alumni Affairs at Harvard and UPenn in February 2026 via voice phishing (vishing). They demanded $1M ransom from each university. Both refused. 739K donor records — including wealth bands and giving history — were leaked. Ransomware recovery in higher ed averages $4.02M (Sophos).
Red Flags
- Phone call claiming to be IT support asking for credentials
- MFA bypass via adversary-in-the-middle technique
- Unusual login activity from unfamiliar IP addresses
- Email asking to 'confirm your identity' via unfamiliar portal
Documented at: Harvard & UPenn (ShinyHunters, 739K records), 18-university MFA bypass campaign (2025)
Your email gateway was built for spam.
Not social engineering.
Email Gateway / SEG
Proofpoint, Mimecast, Microsoft Defender
- Blocks known malware attachments
- Catches bulk phishing campaigns
- URL reputation filtering
- BEC with no malicious links or attachments
- Fake login portals (adversary-in-the-middle)
- Scams in DMs, chat, marketplace listings
- Voice phishing (vishing) follow-ups
- Gift card requests from spoofed executives
- Financial aid form impersonation
Browser-Level Protection
suss. for Campus
- Scans every page, email, chat, form in real time
- Detects BEC with zero links (pure social engineering)
- Blocks credential entry on fake login portals
- Catches FAFSA/financial aid form impersonation
- Flags gift card requests from spoofed executives
- Works on DMs, marketplace, and social platforms
- Domain trust scoring for unknown sites
- 500+ signals across 35+ scam categories
of scam losses begin with a message, not a transaction. Your fraud tools activate at the transaction layer. The damage happens before they ever fire.
FBI IC3 Annual Report, 2024
5 minutes to campus-wide protection.
No student opt-in. No IT integration. No onboarding friction. One JSON policy pushed to all managed browsers.
Push a Chrome Enterprise policy
One JSON config via Google Admin Console, Microsoft Intune, or Jamf Pro. The extension installs silently on all managed browsers. Takes 2 minutes.
Ambient scanning begins immediately
Every page, email, chat message, marketplace listing, and form is scanned in real time. Students never notice it running. No app to download, no account to create.
Threats are intercepted before damage
Phishing emails, fake login portals, gift card requests, and financial aid scams are flagged with clear, educational warnings. Form guard blocks credential entry on unregistered portals.
Admin dashboard shows campus threats
Real-time visibility into what's targeting your campus. Weekly reports, threat breakdowns by category, and detection metrics — all from your admin console.
Compatible with your existing infrastructure
The math for your budget request.
For a campus of 10,000 students at $12/student/year = $120,000/year
Estimated scam losses prevented annually
Based on FTC median loss data + documented incidents
IT incident response hours recovered per year
Credential reset, phishing triage, user support
Average ransomware recovery cost in higher ed
Sophos State of Ransomware in Education, 2024
ROI on prevented losses alone
Before IT time savings and reputational value
FERPA Compliant
No student PII is stored. All scanning happens in-browser with ephemeral API calls. No student data is logged, retained, or shared.
SOC 2 Type II
Certification in progress. Security controls documented and auditable. Pre-filled HECVAT Lite available on request for procurement review.
US-Hosted Infrastructure
All data processed on Google Cloud (us-central1). No third-country transfers. No data leaves the United States.
No Browser Data Collection
The extension does not read browsing history, capture keystrokes, or access stored passwords. It analyzes page content in real time and discards it immediately.
Don't be the next
case study.
See what's targeting your campus. 15-minute demo, no commitment. Free 30-day pilot for qualified institutions.
Questions? info@gotsuss.com