Higher education institutions have become top targets for student fraudulent activity and scamming. As these threat actors continue to advance, it is more important than ever for universities to have the right tool sets in place to detect and filter out fake student applications.
In this episode, Jason and Steve welcome Maurice Simpkins, President of A.M. Simpkins and Associates, to discuss the interconnection of higher education fraud and cybersecurity. Both parties have the common goal of keeping institutions protected and maintaining the highest standards of academic integrity.
Higher education institutions have become top targets for student fraudulent activity and scamming. As these threat actors continue to advance, it is more important than ever for universities to have the right tool sets in place to detect and filter out fake student applications.
In this episode, Jason and Steve welcome Maurice Simpkins, President of A.M. Simpkins and Associates, to discuss the interconnection of higher education fraud and cybersecurity. Both parties have the common goal of keeping institutions protected and maintaining the highest standards of academic integrity.
00:01
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity, with your hosts, Jason Pufahl and Steven Maresca.
Jason Pufahl 00:12
Welcome to CyberSound. I'm your host, Jason Pufahl, joined as always, by Steve Maresca, and a special guest today, Maurice Simpkins, who's the President of A.M. Simpkins and Associates. Welcome, Maurice.
Steven Maresca 00:24
Hi there.
Maurice Simpkins 00:25
Thank you for having me, Jason.
Jason Pufahl 00:26
Yeah, I'm looking forward, so so we had the opportunity to connect at the recent EDUCAUSE Conference. It was sort of happenstance, I was just strolling around, and I'm not sure what it was, I think it was, honestly I think it's just how well dressed, how well dressed you were, you caught my eye. And I said, I want to talk to this guy. And it turned out, boy did we have, we had some real synergy, I think in what we're doing in the security space, and what you're doing in that sort of the higher ed, application fraud and prevention space. So if you could maybe open up with, you know, what your company does, what the, you know, sort of what that problem you identified and how you're trying to solve that?
Maurice Simpkins 01:04
Most definitely, thank you. So, I am the President currently at A.M. Simpkins and Associates, and we are a higher education focused firm based out of, currently out of the Atlanta, Georgia area. And our most recent product to market is called Safe and it is a platform, the Student Application Fraudulent Examination is what Safe stands for. And the platform is built to be an additional, or the line of protection for institutions, higher education institutions who are receiving student applications from any of their various systems. But it is that level of protection to provide them a, you know, a multi point risk assessment of each application coming through for the chance of being fraudulent or not. Higher education in recent times has become pretty much the number one target for fraud and for scamming activity. And so, as we've seen this uptick in this major swing across the nation, not just in community colleges, or in large institutions, you have Ivy League schools, you have some of the more prestigious schools that are still having these issues, you know, various faiths. And so when we knew that it was a identifiable problem, ourselves and our team went to work and the Safe platform is what we brought to market, and we're having great success with it thus far.
Jason Pufahl 02:29
So, the numbers that you gave me when we spoke, were pretty astronomical, so correct me if I'm wrong, I think the the issue is probably biggest right now in the community college space. And, but you're seeing, in some cases, up to, what, greater than 30% fraudulent applications. Are my numbers there right?
Maurice Simpkins 02:50
I mean, we've seen a lot of fraudulent applications work. We had a client that we were meeting with and talk to here and recently, and over their Christmas break, they had fraudsters went to work. And you know, it got to the point of where, in some cases, 90% of some of the classes that were registered for during that period, were fraudulent. 27 out of 30 were fraudulent, leaving three official records, students in those classes. And what had happened was, you know, the institution, because when they came back from the break, they didn't really have time to assess all of the data and look through and see what was good and what was bad. They did what institutions do, they went out, made sure facilities was in place, made sure they had the adjuncts and the professors that were ready to go. And then a few weeks in, all of these people leave, and some of these professors are sitting here with three seconds in their class.
Jason Pufahl 03:50
It's crazy.
Maurice Simpkins 03:50
And it's a major travesty there because now it is affecting, you know, IT, it is affecting operations, it's affecting capacity planning, it's affecting, you know, financial aid and you're talking potential chargebacks, you're talking potential fraudulent payments. It's a lot of involvement, once this, this problem has kind of what I say is gotten it's foothold inside of a higher education institution.
Steven Maresca 04:16
So what are the primary motives for a fraudulent application? Financial, reputational, like, what is the fraudulent entity getting out of it?
Maurice Simpkins 04:26
And you know, I was asked that question at NERCOMP this year, and it really made me rethink because there's so many different ways and so many different reasons. Traditionally, or you know, the past, in the past, you would think students or these fraud actors were after the .edu emails, which are you know, coveted. No phishing filter in the world is going to stop that edu email, so you have the ability to have an open gate phishing, if you want for that instance, or sell it for cheaper, you know, software, Microsoft, Adobe, um, all these different products and even some systems you can get for cheaper if you have a .edu email. And so that was traditionally the aspect that we thought the scammers were after, but it's now. And it's really since the pandemic where I think, you know, the scammers see funds being directed toward higher education, understanding higher education was late to the table with the digital transformation, a lot of colleges at the time of the pandemic, were still receiving paper applications, and so having to make that jump quickly and efficiently, what the one thing a lot of places tend to, you know, to overlook in cases is how much security, how much, you know, detection of certain things and putting in place. And so now the fraudsters have gone so far as to registering for classes, using fake credit cards, and getting, you know, real refund money back either to them or to some fake person, you know, they're creating, they're using stolen identities, they're creating what we call synthetic identities, where they're grabbing data pieces from all over the internet, trying to make us believe this person is real, so they can get that check sent back to them for the refund. But we've most recently had an institution tell us about something that I thought was just mind blowing. They were notified that some of the fraud actors and the scammers that were applying through their institution and getting as far as registering for classes and dropping for those classes, were actually doing so to to launder corporate funds, or launder funds from a corporation. They had gotten access to a corporation's credit card account, and was using that to register for classes at different institutions, and then would get a refund checks and cash them at the actual bank of that company to make it look like it was real. And so, you know, you ask about, why are they after it, it's so many different ways, I think the underlying factor is, they don't have a better way of trying to make money. And this is what they've chosen to be as their way of trying to make a living. For us, this is our way of living to shut them down, because no matter what, what they're after, our goal is to prevent them from getting to it.
Jason Pufahl 07:13
The, you know, one of the interesting things, I think that you had mentioned was, you know, the, a lot of these things are successful, because maybe of time constraints, right? A, the human beings weren't able to go through the process of validating these applications. One, perhaps because there's just the volume is too high, two might be just because there's timeframe issues. But you mentioned to me that they're as thorough as finding residential properties that are within sort of geographic location that makes the applications make a lot of sense if people even did review them. So I mean, they're putting a lot of effort into ensuring that they appear to be as you know, as real as they can, right, with real addresses, real credit cards, real information, for the purposes of then ultimately withdrawing, capturing those funds, and causing a lot of a lot of damage to the institutions.
Maurice Simpkins 08:07
Oh, yeah. And Jason, that's what's, that's what's been funny, is the lengths that some of these scammers will go to. When you think about it, potentially it's bots, because you can think about the ability to create a bot and get it to get smarter and smarter over time. But we had an instance where a record was scraped from an online record to grab the person's demographic data. And then to grab the address information, it was pulled from a Redfin, it was so funny, it was pulled from a Redfin listing online. And we knew it because on the Redfin listing, it didn't name the name of the high school, it just put the school district, and on the actual application, this person actually put the school district, not the name of the high school in the high school field. So, it was easy for us to say this data was pulled from Redfin. But when we went in to start looking a little deeper, and a little deeper, and a little deeper, we're like, wait a minute. This property is owned by someone who has a last name of Hallock. The person on the application's last name was Hablock. And I'm like, what's the chances that someone with the naked eye would have caught this? Thinking about it, what's the chances? And so, and I spoke slowly there because as I said that I want it to be picked up, like what are the chances when you're looking at that, that someone's going to pick up with the naked eye, that's going to be looked over, oh, that's maybe a typo and keep moving, where we're like, no, no, no, no, something else is up here. This needs to be pulled out for review at a later point, and let's review it again. And again. And that's really what you have to do because these scammers are getting smarter, and smarter, and smarter. We're having to bring in every type of data you could imagine, not just data that was traditionally used for ID verification.
Steven Maresca 10:14
So when I worked in higher ed, personally, I worked in identity management, before I left for private sector, and there was a great deal of tolerance for, you know, name and field mismatch, typos and things of that nature. So what you're ultimately getting at is the the mechanism of fraud here leverages the bias towards being accommodating, that is so prevalent in higher ed, and the time delted between submission and recognition of something that's untoward. I mean, how do you shorten the timeframe, then? Well, what is, what are the strategies that are the most successful for identifying fraud of this nature and getting it out of the system before it's, you know, possible to transfer funds, or something to that effect?
Maurice Simpkins 11:03
That can be difficult, especially in a higher education model like we're in now, a lot of the community colleges deploy, you know, instant enrollment, you apply within a matter of moments, you're getting an email, you're getting some kind of automated correspondence to get you move through. These are places where the scammers are just living because if they can hit you with as many as possible, they don't care if only one or two or three gets through. That's all they need. And they've gotten, you know, they've gotten it in, and so these attacks have been, you know, in that in that manner. So we'll say more so versus some of them have been not so much of a grand attack as it is. I kind of, I call it penetration testing, is a lot of what we're seeing as well, where they tried and one method, they get shut down and try the next method, and they keep tweaking those applications until they get through. And not to mention that there are right now live Python scripts that you can download online that have YouTube tutorials that tell you how to do the process of getting these bots to apply to school for you. And I know I got off subject a little bit to throw your question out there again, but I kind of, was on that, it was in my mind.
Steven Maresca 12:24
I mean, I'm interested in the segue candidly, because naturally as the security focus people, when you say pen testing, I immediately think you know, there are identities that are being issued. Certainly, it's possible to impersonate and send emails and phishing campaign and things of that nature, but issuing of an identity and having access to courses and potentially systems like VPNs, I mean, there are many, many other things that an attacker could achieve by merely passing the gate in a convincing manner.
Jason Pufahl 13:00
I mean I think that's the overlap here between, what we do on a regular basis, and then the, you know, the transition into more sort of fraud defined fraudulent activity, right?
Steven Maresca 13:10
Yeah, I can see ransomware being a very easy next step for something of this variety.
Maurice Simpkins 13:16
You guys are thinking like, I just got chills, because you guys are thinking like, I'm thinking like, literally, that's exactly where, I'm not joking, I've got all choked up there. That's where I want to, that's where I want this to go. I, as a very young developer, read the book, The Gift of Fire, everybody doesn't read that book, it's about coding and the ethics about it and around it. It's something that I kind of require for my team and I, we work in data security, I love that book. But everyone doesn't operate like that. And now we are out and trying to, you know, stop the people who are trying to get in from different ways. When I look at it as kind of like this, the cybersecurity team is like your, your security, your arm security at your home, they're looking for the robbers, you know, they're looking for the bad actors who are, who look like they may be a little suspicious. What our platform is doing is, you know, finding those, those people that you may trust to come inside the home who may not be trustworthy anymore, once they get inside the home type of thing. And so what we're doing, I think is can really work in tandem because if I can do penetration testing, and I learned penetration testing very early, penetration testing is much easier from the inside than it is from the outside. So the first step if I'm trying to get into an institution to do something malicious, get a .edu, so I'll send 1200, I'll create a bot, send 1200 applications, I don't care, only one of them needs to get through. Now I've got that one .edu, I start emailing this teacher and started getting you know, specific type of information. I get a conversation going with them, tell them I'm going to be in there class, I'm a dog person, what kind of dog do they have? What kind of dog do they have? I'm just, you know, just pilfering this information, like, I've done this guys, I've literally done this to show how easy it can be to get into this information, and you didn't speak on different things. Oh, you like NASCAR? Yeah. You know, who do you see, you know, Donald did pretty good the other day, Harvard didn't do so well. And now this oh, well, my favorite driver is and so now you have these different things to try to penetrate even more, and now you keep writing them and you text them, you send them a text message later, hey, I'm gonna be doing this, this, I'm in a bind. Can you help me out? All the teachers had a conversation with you for a while, they said, okay, yeah, I'll shoot you a Cash App. And from there, you have enough information to go off and be as malicious as you want with that person. And now being able to let that be your segue into the institution attacking other folks and getting it to be seemingly accepted because you have that .edu. You know, we're not even, we're talking way past just the effect on the IT and financial aid, we're talking about, you know, that .edu is precious to institutions. You ever had, I can write and say, hey, we're going to start blocking all emails from your domain, because it's been known for phishing? That could kill an institution to have something like that happen. But those are the types of things that institutions are subjected to, when there is no level of protection, or when you can let someone in through this manner, but you have the most outstanding cybersecurity in the world. How much is that cybersecurity going to block known students? Quote, unquote, in its in its processing of being secure?
Jason Pufahl 13:16
Right.
Steven Maresca 13:32
Right, so something of what you just mentioned makes me think of the duration, the dwell time of these attacks, you know, you've talked about them being somewhat front loaded to registration, and then dropping the course really toward the beginning, before they have barriers against dropping courses and things like that. But what about the longer term cons? I mean, are there any that persist over the duration of a semester that builds trust, because, hey, they took a course therefore, they're a real constituent and enabling you know fleecing of a different manner. Maybe, you know, worth the money and effort expended upfront, to gain something else.
Maurice Simpkins 17:21
Yeah, there are. There was actually, we were speaking, I spoke at SESUG out, the SouthEastern Data Users Group it's a users group now in Myrtle Beach last year, and at the end of my speech, one of one of the constituents there, he was like, hey, I'm not proud to speak on this. But you know, what we've had in recent times, is folks who are buying houses and buying cars, calling us and saying, why are you on my credit report? Why does it say I owe you money, and I have a loan to your institution? And the guy's like, well, that's because you attended here for two years, you actually have a degree sitting here that you owe us for. But it looks like this is not your degree, so you owe us for it. But you cannot use it. Nice to meet you though. That's kind of how that's been. And they had it happen multiple times. And so, you know, when these scammers say, okay, what is the what is the four or five grand a year from Pell Grant, when this is an institution that may cost 25/30 grand, I can now impersonate them as a loan, get that money back for the loan, and let them be on the hook for it in the long run. And that's essentially, you know, some of the other infrastructure that these scammers are working in.
Jason Pufahl 18:33
So let's transition a little bit, because I think we're bumping up against time. And it's really one thing I definitely want to cover, which is, everybody's talking about AI, and I think it's become a much more mainstream vernacular since ChatGPT. If I recall our conversation, you're utilizing AI and your tool to do this, right? It's not, you don't have a team of people who are looking at these applications on behalf of an institution, you're doing this programmatically, and I'd like to spend a minute on that.
Maurice Simpkins 19:01
Yeah, we're doing we're doing this programmatically. So we've been in the world of integrations, our flagship product was an integration to Amazon Connect that came out a few years ago. And with that platform, what we started providing was data verifications with addresses, phones and emails for all records moving through for all students. And so essentially, that ability graduated to us learning how, you know, the fraud actors were working, teaching or being able to teach our systems some of those patterns, and being able to train it with purely like, I'm not joking, nothing but higher education data. And I think that's one of the things that is important because the data in higher education looks completely different than the data in the private sector. And so, working and training the model in that manner has been beneficial for us. But again, I don't think you could actively and readily find fraud at the speed that the scammers are moving without some sort of, you know, AI or some sort of bot that can get as smart as they are, because they're utilizing bots that, you know, 15 minutes, 25 lines of code, can attack 35 schools, and that that are getting smarter by the minute. And so we want to be able to utilize that same infrastructure, our team has partnered and is utilizing a fraud detection infrastructure within the machine learning for AWS to be able to pull that off on our side. And so that's what we're leaning on, as far as our machine learning infrastructure. But again, keeping that in house with the, you know, the higher education data that we've been working with.
Steven Maresca 20:37
I mean, certainly you have to go toe to toe with the tools that the threat actors are using otherwise, frankly, there's no hope of success. So it makes a great deal of sense to me.
Maurice Simpkins 20:45
Yeah, and there's so many data points you really have to consider. I mean, you're talking real estate records, you're talking census data, I mean, just to kind of give you an idea of the type of things you're talking, you know, looking at a census and seeing if there is someone who lives in that home that is within the age range, or was in the age range at the last census, that would be going to college and is this age. And if not, then let's start looking at some other deeper endpoints to see how, how good can we get in identifying this fraud. And that's some of the things that we really wake up and do everyday, like you guys are keeping your ears to all the different issues and cybersecurity to new bugs and new different attacks that are happening. I'm the same side, I'm trying to get an understanding of how the new actors are operating because they are utilizing AI as well, Jason, we've seen not just the applications being generated utilizing AI, but also some of the additional data on those applications being utilized as AI generated data as well.
Steven Maresca 21:52
You mentioned synthetic identities, how synthetic? I mean, I've heard of fraud being conducted with you know, contrived images and headshots and things of that variety. Is it going to that extent, or is that not part of your analysis?
Jason Pufahl 22:07
That's interesting, I hadn't even thought of that Steve, like using some of these tools now to generate a digital version of somebody?
Steven Maresca 22:13
Yeah, ultimately, we're talking about abuses of trust. I mean, social media in particular, is rife with this sort of issue. I can imagine it's if not already occurring, at least on the horizon.
Maurice Simpkins 22:23
And that is one of the reasons why it is so important that you know, the data sources work together, I am ecstatic about just having a conversation with you guys, because I can see where this can go in further when it talks about fraud on a greater level. But when I think of a synthetic identity, that's kind of like an identity that was created of, you know, real pieces of data that was put together so that it could pass a certain filter. So a real person's name, maybe an address that looked very close to their address or the same street, or it'll have an off number, like on my street, you can't have even numbers, but let's say it's an even number on that street, things like that. They'll have a very closely related phone number, but the phone number will potentially be off. And in recent times, I mean, this is so funny, you mentioned this, we were in our tech meeting a couple of weeks ago reviewing the AI model that could create images of people because we're like, like we're talking our team, our backend team was just like, wait a minute. So we need to now because we have an ID verification process, which allows you to verify a person's ID and things as part of savings, like we need to get that pushed in front of every client, because this can now become a major problem. Not only can I create a fake identity of myself, I can create a completely, you know, a complete image of what I want to be able to look like and to present it to you, I can make myself look as harmless or as harmful as possible to try to get through whatever filters that you have. And so when I think of identities, it's these identities that and again, knowing that we and this is what science, synthetic identities can really help be, knowing that we check other known data points, let's say they've used the synthetic identity, this fake information to get an account at Best Buy, to get a gas card, to get an account somewhere else. So now there's verifiable accounts that most data, most data verifications are going to look at. It's like, oh, yeah, this is good. We see it as we see it here. We see it there. We see it there, and allow it to be verified, where our system looks at those data points. And whether you identify as potential synthetic identity, then you go in and look a little deeper, and those are becoming more and more prevalent. It was a wave of deceased, a wave of stolen, now it's synthetic as they're mixing and matching all the data together.
Steven Maresca 24:51
Well given the prevalence of spouses, family members, siblings and things like that, that are likely to attend after an initial entry into a school, that is a difficult problem to solve. So I can appreciate the problem domain.
Maurice Simpkins 25:07
Yeah, the web is wide.
Jason Pufahl 25:09
Indeed, it is really nice, though, to hear just how similar our perspectives are, as it relates to, I mean, frankly, what you're doing is, how do you best protect your clients? And frankly, how do we all protect institutions that are as important as higher ed, and, you know, they're, they have a culture of permissibility or permissiveness. And I think, you know, they need partners, like you, who can really sort of stand alongside them, helping them to identify areas of risk and areas of potential fraud in the future. So I think what you're doing is great. I'm gonna be really interested to see it evolve. Because I think you're on the you're on the forefront of a looming huge problem.
Maurice Simpkins 25:54
Oh, yeah. Oh, yeah. And I mean, we're we are, we're facing it head on, I will tell you, it is a looming problem. And it is something that we're just excited to be part of, this is a passion for us. Everything our company does is a passion project. I'm a passionate guy about higher ed. And so when this problem came up, it was almost like, you know, I played defense, most of my life, but I can also be a pretty good blocker if I needed to be. So someone just hit our quarterback pretty hard, okay, I gotta go down and play offensive line for a little bit. So make sure that next time he comes through here, he's going to get hit a little harder, it's going to be a little bit tougher for him to get through this line because the quarterback, you know, that's our financial aid, our registrar admissions, that's what I call up the hill, as an athlete, those folks need to be protected by all causes, you know, they lead the team through the championship runs. And so for us to do that, and we know that admissions and enrollment leads the thriving ability of a lot of institutions to keep them moving, for retention, and so forth, and so on. So it's my job to come down and get on that offensive line, and make sure that they're protected. It may not be the position that I was meant to play, but it's the role that I will be willing to die on that hill of stopping this fraud, scamming activity, you know, from coming into higher education, it's, it's a I look at as a group of helpless, helpless araignee, where as a whole, I think, you know, higher education is a great target. There are certain schools that you could go after, and they're gonna pop your hand and say back up, but there are a lot of schools that are open and are getting just inundated in this fraudulent activity.
Jason Pufahl 27:40
I think that was a motivational ending. I love the story. And I love the description of sort of the why behind your thinking. So I hope that we have, I'm sure we will have a chance to talk in the future. I've enjoyed, I've enjoyed the conversation. We had EDUCAUSE, I certainly enjoyed this one. Wish you the best, and I look forward to talking again, in the not too distant future here.
Maurice Simpkins 28:05
Most definitely, we're going to be on the forefront of cybersecurity and fraud prevention together, Jason, I appreciate it.
Jason Pufahl 28:11
Maurice, it was a pleasure. Thanks for joining.
Steven Maresca 28:13
Thanks very much.
28:15
We'd love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn or on Twitter at Vancordsecurity. And remember, stay vigilant, stay resilient. This has been CyberSound.