Scammers take advantage of California community colleges’ inadequate cybersecurity measures
223616586 © Steven Cukrov |


Scammers take advantage of California community colleges’ inadequate cybersecurity measures

California’s community college system could identify and even thwart bots much more easily if the state implemented and followed a full cybersecurity plan. 

Two years after California pioneered a program to provide two years of community college without fees or tuition the state has been hit with a wave of phantom applicants and students. The fake applications and registrations, often created by web bots using Russian software, are intended to obtain “.edu” email accounts that can then be used to receive student discounts from private businesses and submit fraudulent financial aid applications. The growing problem impacting schools and businesses is a good reminder that it is past time for California and other states to develop and implement full, effective cybersecurity plans. 

California’s tuition-free community college application process is fully online and no registration fee is required. Once the application process is completed, the prospective student obtains a .edu email account. No admission decision is required to get the email address. According to a report in CalMatters, the Contra Costa Community College District alone identified nearly 40,000 fake student accounts in the fall 2020 semester across its three campuses. CalMatters reported:

At least 10 districts or individual colleges have told CalMatters they’ve had increases in fake applications, registrations, financial aid filings, or some combination of the three. The Chancellor’s Office estimates that about 20% of the traffic coming to the system’s online application portal is from bots and other “malicious” actors.

Bots are filling up classes, in some cases preventing real students from enrolling. And identifying and blocking the fake student accounts is taking up considerable staff time, college officials say. They say the system is being targeted partly because it is open enrollment and does not have an application fee. 

Store discounts and other benefits are often available to anyone with a .edu account, including, for example, six months of free access to Amazon Prime, free Google Drives with no size limitations, reduced-price software, and numerous other discounts.

And even greater benefits are potentially available to scammers pretending to be phantom students who enroll in classes and successfully file financial aid applications. Since most California community college students are not required to pay tuition or fees, there is typically no out-of-pocket cost to enrolling in classes. But enrolling in classes and completing a fraudulent Free Application for Federal Student Aid (FAFSA®) could result in a federal financial aid intended to offset the cost of textbooks, supplies, rent, and other living expenses. One California district, Peralta Community College District, admitted to disbursing $179,000 to fraudulent students, according to EdSource, and this could be just the tip of the iceberg.

The problem recently rose to the attention of the U.S. Department of Education, which sent a circular to colleges nationwide earlier this month reminding them of their responsibilities to identify and prevent financial aid fraud. But the Education Department waiving most verification requirements in the application process has contributed to the problem of fraudulent bots.

All California community colleges use an application system called CCCApply.  The application process takes only a few minutes to manually complete (and can be done nearly instantly if using a bot). It does not require the applicant to upload a high school transcript (although it does ask for the name of the applicant’s high school, graduation date, and certain grades). To accommodate undocumented residents, CCCApply permits applications that do not include a Social Security number.

Setting aside the cybersecurity issues for a moment, making college attendance increasingly cheap and easy may lead to diminishing marginal returns. Even before the state’s latest effort to make community college free, only about 30% of California community college students graduated or transferred to a four-year institution, suggesting a lack of commitment to the educational process. In 2010, the Los Angeles Times reported:

Seventy percent of students seeking degrees at California’s community colleges did not manage to attain them or transfer to four-year universities within six years, according to a new study that suggests that many two-year colleges are failing to prepare the state’s future workforce.

Conducted by the Institute for Higher Education Leadership & Policy at Cal State Sacramento, the report, released Tuesday, found that most students who failed to obtain a degree or transfer in six years eventually dropped out; only 15% were still enrolled. In addition, only about 40% of the 250,000 students the researchers tracked between 2003 and 2009 had earned at least 30 college credits, the minimum needed to provide an economic boost in jobs that require some college experience.

This can call into question the benefits that some advocates say come from a taxpayer-funded community college education. Today, with many community college classes being taught online amidst the pandemic, it is even easier to enroll for classes without making a serious commitment or ever actually intending to attend class—so easy, in fact, that even a bot can do it. To prevent wasting taxpayers’ dollars, it will be crucial that California and other states improve their security processes and consider ways to prevent this type of fraud.

California’s community college system could identify and even thwart bots much more easily if the state implemented and followed a full cybersecurity plan.  This would involve California taking responsibility for all its public-facing software, and making the necessary investment and organizational standards to identify and prevent this kind of fraud.  

“GovTech and enterprise architecture set up standards and boundaries that all state software has to comply with and creates regular code and tech auditing schedules to help catch this kind of fraud and warn of potential vulnerabilities before the software ever gets released to the public,” Spence Purnell, director of Reason Foundation’s tech policy, said.  “Investing in good technology with data organization, privacy and security features can save California and other states substantial amounts of money in the long run.”

To further reduce fraud, colleges could also require applicants to pay at least a nominal application fee and/or make a modest tuition or fee payment when they enroll for a semester. If there is a continued need to avoid in-person contact with admissions and registration officials due to the COVID-19 pandemic or a more permanent shift to online learning options, students could be required to obtain and upload transcripts or other documents verifying that they are eligible for college. And banking, financial or tax records could be required as part of the submission process for financial aid applications. Since just about every would-be college student has a smartphone with a camera in 2021, photographing and uploading the necessary documents is not too much to ask of most applicants.

These steps would likely help prevent private businesses from being taken advantage of via the use of fake .edu emails. More importantly, they could help prevent financial aid money—paid for by taxpayers— from wrongly going to scammers.