Socure Identifies Highly Organized “Ghost” Students Attacking America’s College System

Something strange is happening in America’s community colleges. Professors are calling roll for students who never show up. Online classes are filled with registered students—but many don’t log in, submit an assignment, or respond to an email. These aren’t struggling students. They aren’t dropouts. They aren’t really students at all.

Welcome to the era of ghost students—largely stolen identities engineered to hijack financial aid dollars. They’re flooding the system in growing waves, invisible to faculty but devastatingly real to taxpayers. And what started as a trickle has become a tidal wave.

In 2024, California alone reported that nearly 1 in 3 college applications were fraudulent. Over $13 million in financial aid vanished into the ether in just one year. It has been reported that some colleges flagged more than 70% of their applicants as suspicious. Nationally, the stakes are enormous: nearly $3.2 billion in financial aid hangs in the balance across a system designed to help real people build better futures.

Behind this growing epidemic is a sophisticated network of fraud rings. They operate at scale, leveraging stolen identities, using automation bots, and deploying VPNs and proxy servers to mask their origin. They even deploy AI-generated homework to trick faculty into believing the student is genuinely enrolled—just long enough to secure funding. Then, they disappear.

This isn’t just an education issue anymore. It’s a cybersecurity breach, a mass-scale identity theft operation, and a threat to the very mission of America’s public colleges: open access to opportunity. If we don’t act decisively, these ghosts won’t just haunt classrooms—they’ll siphon resources from the students who need them most and create financial concerns for some college systems.

Socure’s Analysis of College Admission Applications: How the Ghosts Operate

Out of great concern over ghost applicants, several affected colleges asked us to look into the problem. We used Socure’s proprietary Identity Graph Intelligence to perform an analysis of over 6,000 college admission applications either marked as “fraud” or that scored high using Sigma Identity (third-party fraud) and Sigma Synthetic scores (>.99) between Q4 2024 and Q1 2025 from several state college systems.

From our analysis, it appears that each individual college system is being targeted by a single actor, or group. The email, IP, address, and name patterns are too similar within each of the accounts not to be the same group. The table below reflects the signals with the highest difference between the “fraud” and “good”, or non-fraud, populations. As you can see, when a fraudulent applicant includes an “email address that has not been seen before”, that signal fires almost 97% of the time, compared to only 43% of the time for good “non-fraud” identities on an application. Notably, a high percentage of email addresses used in the fraudulent applications were previously exposed in data breaches—likely separate incidents from the breaches where attackers obtained their victims’ names, dates of birth, and Social Security numbers. When email addresses were created for the fraudulent act, they simply often chose the Google suggested email address, for example, firstlast+randomnumber.

There are similar differences in “fraud” and “good” firing rates for IP and physical addresses used on the applications that have similar deltas.

Addresses coupled with the stolen victims’ names, SSNs and DOBs in the applications tended to be more commercial and less residential in nature than the average “good” population, and they were less deliverable (likely because the unit number is missing on the tagged and high-scoring fraudulent applications). The IP address was often connected to a mobile business IP address, especially for two of the college systems. In the “good” non-fraud population, those IP addresses were more associated with residential IP addresses.

Without exception, all of these attacks were far more sophisticated than your average fraud attack. They rarely reuse phone numbers and physical addresses, though duplicates are typically found in coordinated attacks leveraging stolen identities. They are consistent in their use of IP addresses and VPNs to hide their location. The level of effort involved in building each stolen identity is substantial, and we believe that achieving this at scale would only be possible with the help of bots or AI agents.

Because of the heavy use of VPNs, mobile network proxies, and some international IPs found, we believe these attacks are likely coming from outside the United States.

Some of the patterns we saw across the attacks included:

• Identity Theft vs. Synthetic Fraud: While most of the news reports regarding ghost students suggest that these are synthetic identities, the vast majority of the applications appear to leverage real victims’ personal data rather than fabricated identities. Among the applicants, there was a high prevalence of formal name usage – e.g., 62 instances of “Michael” vs. 2 of “Mike”; 44 of “David” vs. 0 “Dave”; 29 “William” vs. 1 “Will” and 0 “Bill”). The pattern hints that the data was stolen from organizations that require a formal first name for their database. There were 146 cases involving Social Security numbers linked to the deceased.
• Address Trends: Across the stolen identities many listed addresses which were apartment complexes, but didn’t include a unit number. Additionally, the identities did not validate to the address that was listed. Socure’s Address RiskScore reflected a higher rate of fraud than an average population, tied mainly to conflicting mobile IP addresses and phone numbers used on the application.
• Phone Clues: None of the submitted phone numbers matched applicant names in ownership. Many were VoIP, landlines or wireless phones flagged as “leaked online”. Often, the phone number was omitted from being provided in the application.
• Email Development: Emails followed predictable patterns to a great extent (e.g. johnsmith89@gmail.com). We believe that many of the gmail accounts were generated en masse using Gmail’s suggested email formats to help speed development of thousands of new email addresses that matched the applicant’s first and last name. Over 90% of the tagged fraud presented applications with a gmail email account domain.
• IP Address Red Flags: Applications came from VPNs and known bad proxies to further obfuscate their location. There were foreign IPs found as well. In all of our analysis across the five different groups of reported and scored fraud data we analyzed, we found a larger majority of IPs associated with mobile business IP addresses.

Potential Overlap Across Colleges Analyzed

While some of the fraud patterns were broad enough to suggest the involvement of multiple individuals or groups, our analysis uncovered subtle behavioral overlaps that strongly indicate that all of the attacks we analyzed were orchestrated by the same perpetrators or coordinated groups.

Each of the five college systems we examined exhibited distinct characteristics, but in several instances, we observed notable consistencies—such as repeated use of certain address types, similar email structures, and shared technical infrastructure, pointing to a common origin.

Across all five systems, we saw the same consistency in formal name usage, as well as a prevalence in names common in the U.S., suggesting stolen identities may have originated from the same data breach—likely from a formal institution or database that does not record nicknames.

Given some overlap in addresses, as well as similarities in email formatting, VPN usage, and proxy networks, we believe that at least two of the college systems were targeted by the same fraud actors. These connections, while not conclusive on their own, form a compelling pattern of coordinated fraud activity that warrants further investigation.

Stopping Ghost Students Before They Get Inside

States and colleges are beginning to fight back. Some institutions have already implemented mandatory identity verification at the point of application, while others are weighing the introduction of modest application fees—typically between $5 and $10—as a deterrent against mass bot submissions. However, concerns about access and equity have stalled broader adoption of this approach for now.

A more scalable and accessible strategy lies in the integration of advanced identity verification and fraud prevention technologies directly into college loan and admissions systems. Socure’s Sigma Identity Fraud and Sigma Synthetic models can passively verify whether an applicant is a real student—without creating friction for legitimate users. High-risk applicants are seamlessly escalated through RiskOS, Socure’s orchestration platform, which initiates a document verification (Predictive DocV) process requiring a government-issued ID and a live selfie. At this stage, Device Intelligence is also collected to more accurately determine the applicant’s true geographic location when accessing the college system.

This layered approach is both efficient and highly effective. In our analysis of five state college systems, Socure’s technologies were able to identify up to 98% of fraudulent applications before they would reach the classroom.

If you have not protected your front door using these type technologies, it is likely these ghost students are a part of your student body. Socure has been working with some colleges to perform a Portfolio Scrub to identify risky identities on the rolls in order to cancel classes for those fake students.

Ongoing Fraud Detection Beyond Enrollment

There is significant potential to implement ongoing fraud detection mechanisms even after a fraudulent applicant has successfully enrolled. To receive financial aid disbursements, fraudsters must not only enroll in courses—they must also appear to participate. This typically requires attending classes and submitting assignments, with professors ultimately needing to issue grades.

Colleges we spoke with told us that AI-powered chatbots are increasingly being used by these “ghost students” to attend virtual classes and submit coursework. This suggests that successful fraud at the college level often requires a “long con”—one that extends well beyond the initial enrollment. The longer the con, the more opportunities there are to detect anomalies and uncover digital footprints left by fraudulent activity.

Opportunities for Detection within IAM Systems

Many colleges detect fraud post-enrollment through their Identity and Access Management (IAM) systems. Once an applicant is admitted and awarded aid, they must create an account, choose an email address, select a multi-factor authentication (MFA) method, and log in. Normally, they must do some post-enrollment functions, like attend classes or submit papers, to receive their financial aid.

By integrating tools like Socure’s Risk Scores, Device & Digital Intelligence, and Graph Intelligence, colleges can enhance their IAM systems to flag high-risk behaviors in real time. Automated alerts can be triggered when anomalous activity is detected—for example, when multiple student accounts register MFA devices tied to the same phone number in a foreign country.

Leveraging Professors and Workflow Automation

Instructors also play a role in detecting ghost students. Many institutions rely on faculty to submit suspicion reports when students fail to engage meaningfully. Socure’s systems can augment this process by monitoring identity-related events throughout the student lifecycle—such as suspicious logins, document submissions, or unusual system interactions—and triggering alerts for review.

One partner institution is exploring an advanced integration of their Okta environment with Socure. By embedding Socure’s intelligence into Okta Workflows, they aim to automatically log and respond to high-risk events, creating a proactive and scalable fraud detection framework.

Technology and tools alone aren’t enough. Schools must also ensure they collect complete and consistent identity data during onboarding—including full name, date of birth, Social Security number, physical and email addresses, phone number, and IP address. When possible, institutions should also gather information about the applicant’s device using Socure’s Digital Intelligence. This level of insight strengthens detection, aids investigations, and creates accountability across the system.

The Path Forward

Ghost student fraud isn’t just a passing disruption—it’s a systemic threat to the integrity of higher education. But it is a threat we can defeat. By deploying smarter identity verification, layering in document and selfie authentication, leveraging device intelligence, and fostering inter-agency cooperation, colleges can outpace even the most organized fraud rings.

Community colleges are the launchpad for countless futures—a place where ambition meets opportunity. Letting digital imposters exploit that mission not only drains resources but robs real students of their chance to succeed. With the right safeguards, technologies, and shared vigilance, we can ensure that only legitimate students walk through the virtual doors of higher education.

The goal is simple: real opportunities for real people. And with focused action, we can keep the ghosts on the outside—where they belong.