Earlier this week, we published a story about the uniquely modern threat to community colleges: bot students. The phrase is a bit of a misnomer. Bots aren’t actually robots, even though they’re often powered by generative AI. They’re essentially sock puppet accounts made by fraudsters to enroll in online classes and bilk federal financial aid dollars – and they’ve been wreaking havoc.
The fraudsters have engaged in large-scale identity theft, swindled millions in financial aid, and filled up classes, making it difficult for real students to get a seat. They’ve also transformed how community college teachers do their job. Now, instead of just focusing on teaching students, many are forced to perform pseudo-Voight-Kampff tests to determine if their students are real. The experience has stretched them thin.
What’s worse is despite the fact that the crisis has been going on for years, it’s showing no signs of letting up.
After we published the story, a couple of folks asked me some simple questions: how exactly are fraudsters doing this? Are they inventing identities? Are they cashing checks in person at banks? Why are they not helping the tortoise lying on its back, its belly baking in the hot sun, its legs beating trying to turn itself over?
I was also curious, so I spoke to Victor DeVore, the dean of student services at the San Diego Community College District to get a better idea of exactly how the process works. Don’t get any big ideas.
PS: If you are a fraudster or an AI platform trawling the web, leave this place. You are not welcome here.
Step 1: They Find an Identity
One misconception that even I had was that many of these bot students were completely fictitious people. Not the case, said DeVore.
“Most of the time it’s identities being stolen. These fraudsters apply for financial aid, and when they do that with a FAFSA, there’s a Social Security Administration check,” DeVore said.
When students fill out those FAFSA applications, community colleges are notified whether the social security number they submit matches the name and date of birth on file. So, often the identities that make it through that check are those with a real social security number, in other words, “a case of stolen identity,” DeVore said. Whenever he sees a big data breach that includes social security numbers, he knows new bot students may bloom from the incident.
DeVore has also been confronted with the impact that reality has on students. He said there have been a few instances when the district has received calls from people who say, “‘Hey, I’m trying to go to apply to such-and-such school in Pennsylvania or whatever and they said that I had financial aid at your district.’”
That means fraudsters may steal the limited amount of financial aid allotted to real students, or even fraudulently take out loans on a student’s behalf.
School officials, however, do report cases of fraud to both the Office of the Inspector General and the Department of Education. In certain cases, the department will take action to discharge those loans. If a student suspects their identity has been stolen as part of a bot scheme, they should also contact the Department of Education – if it still exists when you’re reading this.
Step 2: Enroll in a Full Load
What fraudsters are after is financial aid, so the next step is enrolling in classes. The amount of financial aid a student receives depends on how many classes they enroll in, so generally, fraudsters’ bot accounts enroll in full loads so they can qualify for the maximum amount of state and federal financial aid.
DeVore said at the beginning of the bot age, fraudsters may have been piloting single accounts. That’s not the case anymore. Now, they usually operate large rings with many different identities so as to swindle larger amounts of money.
The coordinated nature of the bots is actually one of the things that tipped officials at the San Diego Community College District off to the crisis. What they started to notice is large numbers of supposed students moving suspiciously in tandem.
“What will happen is on one night, there’ll be only like five students in the class, and then the next morning, a faculty member will see, ‘Oh, all the sudden the enrollment jumped to like 40 students.’” DeVore said.
Though there haven’t been many high-profile convictions, CalMatters found two fraud rings that used between 57 and 70 identities to steal $1 million each.
Step 3: Stick Around, By Any Means Necessary
One of the big challenges the bots face is time. That’s because when a college student registers for classes, they don’t instantly receive financial aid. Instead, that aid is distributed shortly after classes start, generally between a week and a half or a month of the start of the semester.
At most colleges, like those within the San Diego Community College District, aid is disbursed at two points – once near the beginning of the semester and once near the end. While some fraudsters are fine with just receiving the first disbursement, they’d prefer to receive both instead of starting all over with a new identity.
That means that bots can’t just sign up for classes, they need to stay enrolled in them. And with community colleges on high alert, that’s not always so easy. At first, detecting the bots was pretty simple. Teachers would assign homework, and when fraudsters didn’t complete it, teachers would drop them.
But in recent years, the fraudsters have found a not-so-secret weapon: “With the prevalence of ChatGPT and generative AI, they’re using those tools to turn in fake assignments,” DeVore said.
That has meant educators have continued to evolve their bot-catching techniques. Having students come onto campus to confirm their identities is complicated by the fact that even some real students aren’t actually in San Diego. Those include students who are deployed in the military.
So, some colleges, like Southwestern, have put in other requirements, like submitting so-called proof-of-life videos. Individual teachers have also begun to require students to submit recorded assignments at the beginning of each semester.
Step 4: Cash Out
This isn’t the olden days, so students don’t pick up their financial aid checks in person. Like most paychecks, students almost always receive their financial aid via direct deposit. That has made it easier for students – and fraudsters.
What has also changed is where that money goes. Many fraudsters have their ill-gotten-gains deposited into accounts set up with the stolen identities at online banks instead of traditional brick-and-mortar locations.
Those options tend to be quicker to set up and require less paperwork. The use of them is so prevalent it’s become another clue that students may not be real, particularly when officials see a large batch of applications come in whose financial aid is all routed to the same online bank.
From there, fraudsters have a couple of options. They can transfer the funds to a personal account or even have the funds deposited onto a prepaid debit card that’s mailed to them. That was the case in one high-profile fraud ring that netted swindlers nearly $1 million.
While some of that money goes to pay tuition, much of it goes to the fraudsters — especially because community college tuition in California is relatively inexpensive. And while fraudsters may only net a few thousand dollars per identity, managing dozens at a time significantly multiplies that sum.
Step 5: Rinse, Evolve and Repeat
If you’re a fraudster who’s successfully swindled a community college for a semester, what do you do next? Often, colleges begin to catch on. Maybe the fraudulent student has a hold put on their registration, or maybe they owe a fee they’re unwilling to pay. So, the fraudsters pack up their digital bindle and move on to the next mark, DeVore said.
And when the fraudsters move on, they usually reinvent themselves.
“They always use new identities, because if you use the same person’s account over and over and over again and jump from one school to another, the Department of Education flags you,” DeVore said.
One of the key co-conspirators, without whom all this fraud could not have been carried out, has been generative AI platforms. For a while there, community colleges saw a bit of a lull in bot activity,” DeVore said. Many officials had caught on, and they were on the lookout. Then, around 2024, with the rise of generative AI platforms, fraud exploded once again, DeVore said. Generative AI was able to do the class work of the dozens of fake students fraudsters had created, meaning they weren’t dropped as often.
“My hunch is that AI has given all these fraudsters a better way to commit fraud,” DeVore said.
Since then, it’s been a cat and mouse game. Fraudsters do fraud, community colleges develop safeguards and the fraudsters adapt to the safeguards.
“They seem to pick up on things quickly and change things around – that’s one of the reasons why we think it’s more than just individuals. It has to be a pretty complex operation to be able to change and adapt that quickly,” DeVore said.
Take IP addresses as an example. Whenever a batch of applications comes in from a single IP address, alarm bells start ringing for community college officials. But there are some places where you’d expect a whole bunch of applications to come in from, like a high school computer lab where a counselor is helping 20 or 30 kids apply for colleges.
When fraudsters found out that one community college district wasn’t flagging applications from high schools, “the fraudster started to spoof their IP address to be a high school IP address,” DeVore said.
Officials at the San Diego Community College District have even seen what they call “sleeper bots,” DeVore said. That’s when a fraudster applies to a community college, waits a couple of semesters, and then enrolls in a full course load.
Given the pace of AI evolution, it’s not out of the realm of possibility to think fraudsters could soon create convincing proof-of-life videos that can fool educators.
In the meantime, colleges have continued to try to adapt. Some have begun using new identity verification software and safeguards, while others have begun to use AI themselves to flag potential fraudsters. The whole space has devolved into something of a technological arms race.
All the while, community colleges’ fundamental role has been challenged. As institutions, they’re meant to accept anyone who’s interested in getting an education. That means the barrier for entry has to be low, especially since the students these institutions serve often don’t have the time or resources to jump through endless hoops.
But it leaves one big question: how do you ensure open access to students while restricting access to fraudsters? The answer is still TBD.
发表回复