Bad actors have attempted to defraud student aid programs for years. Some target private student loan lenders, but many are after the larger catch — loans and grants from federal student aid programs.
There’s a lot of taxpayer money on the line. In fiscal year 2023 alone, the Department of Education delivered approximately $114.1 billion in aid to over 9.7 million borrowers. Local and state student aid programs can also be affected.
These fraudsters earned the “ghost students” and “Pell runners” monikers after figuring out how to collect loan and grant money before disappearing. Today, some schools and e-learning platforms are turning to online identity verification tools to stop fraudsters.
The growing threat of student aid fraud
Although student aid fraud isn’t new, the threat is growing. In January 2024, a California Community Colleges Chancellor’s Office spokesperson told a CalMatters reporter that they suspected 25% of the college applications received were fraudulent—up from 20% in 2021.
And although California’s community colleges have had a lot of press coverage lately, other schools and systems have been targets of fraudulent applications. For example, in 2023, a man was sentenced to 11 years in federal prison after stealing over $1.4 million by posing as 180 different students at Baton Rouge Community College from 2017 to 2019.
Part of the increase might be attributed to stronger security measures that catch fraudsters who previously would have gone unnoticed. Another reason is that rising tuition rates can make student aid fraud more attractive to bad actors — larger loans and grants mean there’s more money to steal. Some schools have also made enrollment easier since the pandemic.
Many schools are also launching online-only or hybrid curricula. These are popular with legitimate students — around a quarter of undergraduate students and nearly 40% of graduate students exclusively attended class online in Fall 2022. However, fraudsters from around the world may also target schools with online programs.
The ripple effect of exposing ghost students
Limiting fraud losses is, of course, government agencies’ and universities’ primary motive for catching bad actors and stopping fraudulent aid from being disbursed. But schools also have more on the line:
- Improve internal data: Inaccurate enrollment and retention data could lead schools to make poorly informed decisions about who to hire and which classes to offer.
- Better serve legitimate students: Classes might be filled by fraudsters before legitimate students have a chance to enroll. Even if the fraudsters are identified during the first few weeks of class, it may be too late for new students to begin.
- Support the school’s staff: Ghost students can impact school administrators, instructors, and professors who wind up having to track and report the fake students.
- Maintain your reputation: Fraud prevention almost always has an element of reputation management. You don’t want to be known as the school for fraudsters — and your alumni don’t want that either.
Tools for detecting and preventing fraudulent student accounts
You can use various tools to verify applicants’ identities and detect suspicious behavior to keep fraudsters at bay. You can also use link analysis to uncover patterns among ghost students who slip past your first-line defenses.
Require identity verification
Online identity verification tools can quickly collect and analyze identifying information from applicants. Combining a government ID verification with a selfie is a commonly used approach for fighting fraud.
- Government ID verification: Applicants upload a picture of an approved government-issued ID, such as an identification card, driver’s license, or passport. The IDV tool analyzes the image for signs of authenticity, editing, and document tampering. It also extracts data from the ID that will be used for verification.
- Selfie verification: With selfie identity verification, the applicant takes and uploads selfies or a short video and their face is compared to the image on the government ID. In the age of AI-generated selfies, liveness detection and advanced analysis are crucial for verifying the selfie is genuine.
Passive database checks can also be performed in the background to verify information from the government ID without adding friction. Schools may also automatically run checks against internal databases to look for duplicate information or other red flags.
Monitor passive and behavioral risk signals
Various types of passive signals, monitoring, and reports can help you uncover fraudulent applicants and ghost students without asking for more information or interfering with an application.
- Passive signals: Information from the applicant’s device or browser can help you uncover suspicious data points or patterns. These might include whether they’re using a VPN, their device’s IP address, location, and time zone, and if they are all out of sync with each other and not close to the address extracted from a driver’s license.
- Behavioral signals: Monitor how someone interacts with your application — whether they copy and paste information, use autofill, appear distracted, or use their mouse or keyboard in an unusual way.
- Email risk reports: An email risk report can tell you when the email was first seen, most recently seen, whether it’s from a temporary mail service, when the domain was created, how active it is, and other information related to the potential risk associated with the email address. The results may be summarized with a risk score or recommendation.
- Phone risk reports: Similarly, phone risk reports help you understand the risk associated with a phone number based on factors like the phone type, carrier, recent usage, and whether the number or SIM card was recently moved.
These signals and reports can help you determine whether you should approve an application, deny it outright, request additional identification, or have someone manually review it.
Uncover commonalities among bad actors
Using link analysis, you can look for patterns and anomalies that you can use to weed out fake students and stop fraudulent applicants.
For example, you can gather data points from known fraudulent student profiles, such as their names, addresses, Social Security numbers, emails, phone numbers, IP addresses, device signals, and browser fingerprinting.
You can then use link analysis to query your entire student database and uncover other accounts that share these identifiers — an indication that they may also be fraudulent. Bad actors’ connections and data can be used as risk signals and added to blocklists for assessing incoming applications, minimizing the recurrence of fraudsters leveraging the same information.
Link analysis can also help you uncover patterns in behavior, such as whether bad actors tend to sign up for certain courses. For example, you might find ghost students tend to enroll in classes that don’t correspond with the same major. A new student who follows a similar pattern may be worth flagging for additional reviews.
Creating dynamic fraud fighting systems with Persona
At Persona, we know that the ability to effectively and efficiently fight fraud is foundational for student identity verification solutions. When you’re trying to build a supportive learning environment, you need trustworthy and customizable systems.
- Verify: With Dynamic Flow, you can create an onboarding process that automatically adjusts identity verification requests based on fraud signals. This type of risk-based approach can help you stop fraudsters without adding unnecessary friction for legitimate students’ experiences.
- Manually review: Cases consolidates information and helps your internal reviewers efficiently resolve cases using customizable templates, views, actions, and routing.
- Link analysis: Using Graph, you can uncover fraud rings attacking your school and identify risk signals that you can use to proactively stop fraudulent applications.
- Reverify: Reverify students who are flagged by Graph or who display suspicious behavior after classes start. Having an automated system for reverification could take some of the burden off of instructors and help you identify ghost students earlier.
Efficient identity verification also doesn’t come at the expense of data security or privacy.
Persona is ISO 27001, Service Organizational Control 2 (SOC 2), and IAL2 certified. We comply with global regulations, including the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Automated data retention and redaction policies can also ensure you stay compliant with regulations.
Want to learn more about how schools and e-learning companies like Coursera, Preply, and Udemy use Persona to stop fraud? Start for free or get a demo today.