Skip to main content

Hey college students: even though you’re likely far from campus, scammers are still trying to find you.

Maybe you or your friends have gotten an email claiming to be from the “Financial Department” of your university. The email tells you to click on a link to get a message about your COVID-19 economic stimulus check — and it needs to be opened through a portal link requiring your university login. Don’t do it. It’s a phishing scam. If you click to “log in,” you could be giving your user name, password, or other personal information to scammers, while possibly downloading malware onto your device.

Example of phishing email

How can you spot and avoid scams like these? Before you click on a link or share any of your sensitive information:

  • Check it out. If you have concerns about an email, contact the sender directly. Look up their phone number or website yourself. Don’t click on a link. That way, you’ll know you’re not about to call a scammer or follow a link that will download malware.
  • Take a closer look. While some phishing emails look completely legit, bad grammar and spelling can be a tip-off to phishing. Another clue that the email is not really from your school: they use the wrong department name. In one example we’ve seen, the scammers called themselves the Financial Dept instead of the Financial Aid Department.

If you spot something that looks like a phishing scam, report it. Forward the message to the Anti-Phishing Working Group (an organization which includes ISPs, security vendors, financial institutions, and law enforcement agencies) at reportphishing@apwg.org. You can also report phishing to the FTC at ftc.gov/complaint

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

VMU
May 27, 2020
Thank you for this informative information. I have had phone calls and emails and reported same to FTC.
harpdog
May 27, 2020
If it is legit your school will contact you through your school email. This email should only be used for school business and not given out to anyone not associated with your school. I am a 71-year-old college student and I urge you to go back to school and re-enter the workforce if you can. Social Security will never go up and maybe gone soon
EM
May 27, 2020
Thank you for this very important information. Greatly appreciate the links on where to report! This is very helpful.
daball
May 28, 2020
While you definitely want to avoid clicking the Login button for a phishing site, it's also important to not even type anything in at all. Merely typing into text fields (indeed anywhere at all) of a web page triggers UI events on the DOM objects, which can run scripts to shuttle keystrokes back up their servers. I don't know about this particular phishing attack, but this is certainly a notable attack surface. If you think you're being phished, don't type anything in the web page. Because you don't know who's capturing those UI events. I just wanted to add that, because merely avoiding clicking the button might not be enough if the text fields are already filled in.
Capismama
June 01, 2020
They have NOT been shut down. I never even attended college and they have called me. They instantly hung up when I informed them that I had never gone to college, so PLEASE BE WATCHFUL of this number, or other numbers with the same area code/prefix: (866) 597-2660