Guarding Against Admissions-Targeting Spambots

Higher education institutions have long been targets for cyberattacks. Phishing and ransomware are perhaps two of the most widely known methods used, but in recent years, a more sophisticated method of targeting institutions has emerged—spambots that specifically go after admissions systems. 

A report from the security software firm Check Point noted that, in July 2022, the education and research sector experienced more than double the number of weekly cyberattacks as other industries, with an average of almost 2,000 attacks per organization every week. Spambots were used in 2021 to target community colleges in California, which resulted in more than 65,000 fraudulent financial aid applications, according to reporting from the Los Angeles Times.

To thwart spambots from successfully targeting admissions systems and harming institutions, cybersecurity experts say a collaborative approach to solving the issue is needed.

How Spambots Work

According to Check Point’s Aaron Rose, a security architect for higher education institutions like the University of South Carolina, the last few years have created an environment ripe for spambots. 

“Due to COVID, there was a substantial increase in the amount of online offerings,” Rose explained. “The requirement to physically go onto campus to enroll was reduced or eliminated at a majority of universities.”

Additionally, the rise of artificial intelligence has contributed to how easily spambots can be used. 

“ChatGPT, which has been all over the news, has the ability to write code for you,” he said. “That makes the barrier to entry very small for people; you don’t have to be a hacker.”

Spambots are computer programs that are created to access websites in “less than ideal ways,” explained Charlie Kirkpatrick, a lecturer at the Old Dominion University School of Cybersecurity. The automated routines go to websites and probe for weaknesses. In admissions systems, he said the “apply” button is a point of vulnerability if it’s not adequately guarded.

Institutions with open enrollment policies, such as community colleges, have been the primary target of spambots because they tend to have higher financial aid rates. 

“It’s much easier for bots to apply because they don’t have to write an essay,” Rose indicated.

Nevertheless, small institutions are also vulnerable.

“Smaller schools most likely aren’t going to have the IT or security teams you’re going to see at some of the larger universities,” Rose said. “They’re probably going to have fewer security controls in place, so it’s going to be a much more attractive target.”

Lori Sussman, an assistant professor of technology and cybersecurity at the University of Southern Maine and director of the university’s Cybersecurity Awareness, Research, and Education Support Center, agreed, “The more obscure you seem, the more that you will be seen as an easy target. Criminals go to the path of least resistance.”

Purpose of Bots

“The most prevalent and harmful bots we see in higher education include those designed to generate fake enrollments, which are then used to gain access to financial aid,” Amy Holtzman said. She is the chief marketing officer at the go-to-market security firm CHEQ, which works with higher education institutions, including Regent University.

Rose pointed to the various COVID-19 relief bills that Congress passed, which had “a ton of funds for financial aid,” as essentially sweetening the pot for cybercriminals. Aside from seeking to secure financial aid falsely, it’s very lucrative to have a .edu email account, Sussman said.

“It’s pretty easy to get one as part of the admissions process, especially at community colleges, because you have to make an account,” said Sussman. “All of a sudden, you have a community college .edu account so that you can check on your application process.”

Nick Merrill works as a research fellow at the University of California, Berkeley Center for Long-Term Cybersecurity and is the director of the university’s Daylight Security Research Lab. He noted that a .edu domain is “good for sending spam.”

Impact on Marketing

Spambots aren’t just causing havoc for cybersecurity professionals but also making it more difficult for institutions to recruit new students effectively. 

“They cause a big headache and a lot of wasted time for admissions officials,” Merrill said.

This comes at a point when enrollment across the nation is faltering, down 1.23 million undergraduates for the fall of 2022 compared to pre-pandemic numbers in the fall of 2019, according to the National Student Clearinghouse Research Center.

“I would imagine it inflates marketing spend per student—meaning the farther down the funnel, the more time/money is spent on a student,” observed Chris Huebner, Volt contributor and director of activation at the higher education marketing agency SimpsonScarborough. 

That impact isn’t trivial, as it costs an average of $2,795 for four-year private schools and $494 for public schools to recruit a traditional student, according to a 2022 report from the higher education enrollment firm RNL. 

Rose explained that the goal of advertising platforms such as Google Ads is to show users the most relevant advertisements. One way of doing so is the collection of data through HTTP cookies.

“When you have bots doing all of this automated web browsing, searching and going to university websites, you begin to skew the profiles. They tend to think that a bot or IP address is interested in enrolling in school,” he explained. “Universities are very competitive because they need to fund their programs. They’re paying high dollar for these advertisements. Every single time they’re being shown or clicked on by a bot, that’s essentially money that’s, not by the fault of the ad provider, being taken illegitimately from the university.” 

Sussman added that it becomes more difficult for marketers to gain accurate demographics any time fraudulent accounts are made. 

“If all the sudden your registration increases by factors of tens or hundreds, you’re either doing something right or you’re looking at a bot attack,” she said. 

Jamie Hunt, vice president for university communications at Old Dominion University and Volt Insights contributor, agreed with Sussman, “Bots can interfere with marketing by distorting campaign results, which makes it challenging to measure campaign performance and optimize future campaigns.”

Malicious, and even unsuspicious, bot activity reduces the effectiveness of online marketing, Holtzman noted. 

“It can deplete ad budgets, distracting attention away from intended audiences and/or making way for competitors to secure prime placements; it can flood systems with fake data and requests, preventing legitimate requests from being received and diminishing conversion rates; and it skews performance metrics, leading to a lack of understanding of genuine interest, campaign effectiveness and high-priority opportunities,” she said. 

Mitigation Strategies

When such instances do arise, Sussman said the marketing, registrar and cybersecurity teams should look for trends that indicate spurious activity and remove them to maintain the data’s integrity. 

Kirkpatrick suggested developing some kind of system that can compare current applications with the previous year’s submissions to see if there are any unusual trends. An unusually high number of applications from outside of the school’s general service area is just one example of possible bot influence.

“The best way to protect marketing budgets, campaigns and data, as well as mitigate other risks posed by bad actors across your site, is to first understand your invalid traffic and vulnerabilities, then to create a plan of action,” Holtzman explained.  

She suggested using services that provide detailed scans that show the impact of fake traffic on college admissions sites and across acquisition efforts. 

 Understand the site’s invalid traffic and vulnerabilities, then create a plan of action.

Doug Streit, executive director of IT security and planning at Old Dominion University, advised that awareness among marketers that bots are out there can go a long way. Once they acknowledge that fact, they’re then able to factor the latest malicious activity trends into their campaign strategies. 

Although the inability of an institution to properly market itself to prospective students is a major detriment, the impacts are much further reaching. 

“The risk to higher education institutions can be significant,” Holtzman stressed. The cost to remediate attacks, she said, can deplete already limited budgets. 

Rose noted that successful spambot attacks on admissions systems can severely damage institutional reputation.

The damage also extends to students. “I also imagine that they take up seats from real students, which can cause measurable harm for the students who didn’t get to pursue higher ed that year,” Merrill said.

AI as Defense 

There are technologies out there that can specifically look for bot behavior. An example of suspicious behavior might be clicking in a static instead of a natural pattern and going directly to the application page instead of first clicking around. Rose equated it to turning “machine learning and artificial intelligence back on the attackers.”

“We can essentially fingerprint a user; we build a profile of that user and their typical behavior,”  he explained. “If we see the same user doing the same thing many, many times, we create a reputation score. Based on that, we can choose to block the user, if needed.”

CAPTCHA and reCAPTCHA challenge-response tests, for example, can be used to distinguish between human and computer usage. 

“An automated routine would have difficulty acknowledging and reading and typing distorted text,” Kirkpatrick said.

Institutions can also block IP addresses that are known to be VPNs used by attackers. 

“That would be easy to do,” Rose said. 

Merrill cautioned that possible discrimination against people based on their national origin and native language should be factored in when looking at artificial intelligence solutions. 

At the end of the day, he added, “AI-based solutions are always going to be an arms race between attackers and defenders.” 

Kirkpatrick added that frontend preventions might also prove successful in thwarting spambots. Examples of this measure include not allowing prospective students to submit a formal application until after they’ve first had a phone consultation with an admissions staffer. 

Collaborative Effort

Sussman observed that higher education has historically functioned largely in silos, where cybersecurity professionals only participated when it was necessary. Given the digital transformation of the industry, with online applications and online classes part of the norm, she said a “culture of cyber safety” is now needed. 

“People are your weakest link and your greatest strength,” said Sussman. 

When new admissions processes are being developed, cybersecurity professionals need to be at the table to speak to any vulnerabilities that may be presented as a result. 

“There’s always tension between ease of use and good security,” she explained. “Finding that balance is a collaborative process.” 

At Old Dominion University, Streit meets with admissions leaders every other week to discuss cybersecurity concerns. Rose agreed with the need for collaboration. 

“Admissions counselors need to be talking to their security people. They need to be talking to their CIOs and explaining the issues they’re facing,” he said. Doing so allows the IT teams to become aware of what might make a specific application seem suspicious so that they can look for potential technology solutions. “We obviously don’t expect an admissions counselor to go through 30,000 different applications and be able to spot every single one that is fraudulent.”  

So-called “fake students” can end up in actual classes if they successfully navigate the admissions process, Sussman explained. At that point, professors may be able to alert administration officials via census reporting and progress updates if the “fake students” haven’t completed any assignments. 

“The aggregation of data provides insight. Collaboration between the registrar, dean’s office and the IT professionals can indicate trends as this fraudulent activity continues to happen,” she said.

If Spambots Are Detected

“These are often multistate actors. They could be groups that are supported by nation-states. They could be international cybercrime groups. It’s a business,” Sussman said of those who use spambots. “It’s fraud, so there are a number of things they can do.”

Institutions can report spambots to their local police department, their state attorney general’s office, the Federal Bureau of Investigation and the Federal Trade Commission, which has the Red Flags Rule.