College students targeted by money mule phishing techniques

As university students begin a new school term, some find themselves the targets of money mule fraudsters.

Researchers at Mimecast have uncovered a targeted spam campaign that seeks to recruit students with the promise of easy money and flexible working conditions.

Jeremy Ventura, a senior security strategist at Mimecast, tells SearchSecurity that the attacks begin with the fraudsters taking over a student email account, either by using phishing techniques or purchasing credentials in underground forums. Anyone in the address book or inbox of that account is then targeted.

From there, the fraudster poses as a consulting company looking to recruit student employees for positions that offer money and flexible working hours that would allow students to work around their school and work schedules. One offer promised $350 per week.

Should the students respond to that message, they would then be asked for a list of personal details and instructed to receive a deposit and then transfer the money (or purchase and then transfer items) to an account controlled by the hacker. In other words, the unsuspecting student is a money mule helping to launder stolen funds out of the U.S.

Aside from aiding in a fraud ring, this is particularly dangerous for students because the hackers collect so much personal information. Some of that data could be used in the future to create more convincing spear phishing techniques that could result in a network breach, potentially putting their entire school at risk.

"They're putting out a lot of information that just makes them a wider target," Ventura said. "Next time they could click on a URL."

There is not the same level of security provided for student accounts, and that is why we commonly see attackers going after students instead of faculty and staff that have more protection.

He added that a big part of the problem is the lack of attention and resources that educational institutions afford to student email security. While nearly every school provides email security services for faculty and staff members, very few extend those protections to student email accounts.

"There is not the same level of security provided for student accounts, and that is why we commonly see attackers going after students instead of faculty and staff that have more protection," Ventura said.

There is also the matter of education. With very few schools providing incoming students training or even basic information on how to spot phishing emails and what to do with them, the students often lack a critical eye when reading shady job offers or other phishing techniques that promise easy money. This lack of attention is leaving students and the universities vulnerable to fraud and data breach.