David Maimon, a professor of criminal justice and computer science at Georgia State University who also serves as head of fraud insights at the fraud detection company SentiLink, recently examined onboarding records at a sample of financial institutions and found that university email addresses linked to the 2023 MOVEit Transfer breach are now showing up in applications for new bank accounts and lines of credit — and getting past initial scrutiny.
While part of the typical university response to compromised student data includes a free year of identity-theft monitoring, Maimon, who shared an early draft of his findings with the Center for Digital Education, said his research proves some fraudsters are waiting several years before using trusted institutional data to commit bank fraud.
STUDENT INFO IN FRAUDULENT FINANCIAL APPLICATIONS
Maimon found that bank applications containing breached university data have risen in recent months, especially for Southern Illinois University (SIU), the University of Missouri and institutions within the University System of Georgia.
In early 2025, he said, only 0.3 percent of applications for new bank accounts or lines of credit he reviewed via SentiLink used an .edu email account in their materials. Later in 2025 and into 2026, when fraud activity peaked, that percentage doubled to 0.6 percent. While the percentages are small, he said, they greatly outpace what a bank would typically expect in college student applications.
At one bank, for example, 745 applications tied to people younger than 25 contained Southern Illinois University email addresses (@siu.edu), and 607 of those came in December and January. If legitimate, that would mean nearly 9 percent of SIU’s total undergraduate population (approximately 8,500) submitted applications to the same financial institution, using their school-provided email addresses, within four months.
A similar case occurred with Georgia Institute of Technology email addresses, with one bank receiving 937 applications including @gatech.edu emails in the span of four months. This represents 5 percent of its undergrad population.
Even formal partnerships between financial institutions and higher-education institutions do not yield such results, according to the Consumer Financial Protection Bureau. For example, as of 2023, California State University, Stanislaus, an institution similar in size to SIU, only had 168 student accounts active with its chosen partner financial institution, Wells Fargo.
COMMON TACTICS
Credentials like .edu email addresses are not typically flagged by financial institutions for verification, Maimon said.
“The premise is that if you get a university email address, someone verified your identity,” he said. “Someone saw you, someone touched you, so to speak, so they gave you a .edu email.”
Maimon said fraudsters are also employing techniques like routing applications through residential IP addresses in geographically dispersed areas. They typically do this during work days, and applications come every few minutes, indicating coordinated human-driven activity. In one case, 10 applications from different people using credentials from the same university were submitted over an 80-minute period.
All these factors make the fraudulent activity difficult to detect early, as it bypasses common red flags like late-night applications and simultaneous floods of applications typically associated with bots.
Maimon said it is similar to the phenomenon of exploiting “abandoned identities,” including deceased people or people who have moved out of the country.
“We’re essentially thinking about infrastructure that folks have left behind and that no one is monitoring or using, that the criminals are essentially taking over and using it to facilitate their fraudulent operations,” he said.
Some victims may be former students who still have university emails and know that a breach took place while they were in school, but have since graduated and don’t check those accounts anymore, he said. Students also typically do not have safeguards in place like a credit freeze or basic identity protection plans, sometimes thinking they are not fruitful targets for attackers because they are early in their financial journeys. However, attackers can benefit from opening small lines of credit early with plans to exploit larger lines of credit later on.
“The fraudsters know [students] don’t have any money, but they do know that you have a lot of prospects to have money in the future,” Maimon said. “So what they will do is, they will start using your identity and groom it.”
HOW TO RESPOND
For financial institutions, colleges and students, Maimon found some inconsistencies that could help them respond.
Approximately 12 percent of applications linked to SIU emails listed addresses in Georgia, which is inconsistent with SIU student demographics — a potential red flag for financial institutions.
More broadly, he said, financial institutions should understand that .edu emails do not carry the same credibility they once did. He also recommended that schools block access to .edu emails as soon as students using them graduate, and at the individual level, he said students must learn about these phenomena sooner rather than later. Instituting a credit freeze, finding free or affordable identity-theft monitoring and learning about credit are all important steps, Maimon said.
“I’m aware of many, many, many stories of young folks who had to go through hell to restore their identities and make sure that their credit scores are where they should be,” he said.
