RamWeb banking information editing capability disabled due to phishing scam

Samantha Ye

body of csu email
A recent phishing attempt designed to gain University login credentials targeted students at Colorado State University and other universities, according to an email sent out by the CSU Public Safety Team.

Colorado State University is currently re-evaluating security in regards to the recent phishing attacks against CSU students.

This re-evaluation includes restricting the ability to edit student bank account information on RamWeb. 


Phishing is the practice of sending fraudulent emails or other communications in an attempt at convincing individuals to reveal personal information, such as passwords and credit card numbers, according to Phishing.org.

A CSU Public Safety Team email sent out Sunday alerted the campus of a phishing attack targeting students for the RamWeb login information.

The University disabled the ability to edit banking account information as soon they learned of the phishing attacks, said Lynn Johnson, vice president for University operations.

The phishing attempt appeared to be after money, and the best way to get money is by getting access to students’ RamWeb accounts, Johnson said. The attacker can then edit the student’s banking account information and reroute any potential financial aid deposit refunds to an account the phisher can access.

These phishing emails attempted to gain access to students’ RamWeb account by sending them to a fake webpage resembling a University page and having them enter their login information.

One example of such an email, posted on a RamWeb notification, alerted students their eBill is available online and asks them to log in and view their statement even if they had viewed it previously that week.

Another example told students they have been awarded financial aid and to view their rewards on RamWeb.

The University is working to find a way to let students edit their information through other ways, possibly paper, and will be getting that information out as soon as possible, University officials said. The ability to edit that information online may or may not return.

“Because there was no RamWeb security issue — it was just simply that someone got access to someone’s login credential — I think we (have) to evaluate that,” Vice President for Enrollment and Access Leslie Taylor said.


Students whose account information did not change in the concerning time frame will still receive their refund checks as normal, Johnson said. If there were changes, the University will reach out to verify it was a student-authorized change.

Although phishers probably wish to zero-in on students more likely to receive such refunds, Johnson said it is unlikely the phishers will have any way to access that data.

Other sensitive information on student’s account such as Social Security numbers or the actual bank account information are partially hidden with asterisks on RamWeb, so attackers would not be able to learn those even if they accessed the account.

Taylor said the pool of targeted students appears relatively small at the moment, though it is impossible to tell how many students simply were sent an email and did not act on it. phishing email text

As of now, the University believes about a dozen students were affected by or received the phishing emails, Taylor said.

The University discovered the phishing attack after one student reported a change in their account information which they did not make and another student forwarded the University the actual phishing email they had received.

Further communication with other universities revealed this attack occurred at various other institutions in a similar manner.

The CSU Police Department is currently investigating.

phishing email text
The phishing emails used falsified return addresses, official University graphics, and included official CSU links, to trick students into thinking the email was sent from the University. But, the main webpage they would route to would have a slightly altered URL and ask for student login information. (Images courtesy of CSU)

The emails, using falsified return addresses, appeared to be from CSU, used official University graphics and included official CSU links. However, the main webpage they would route to would have a slightly altered URL.

“From the enrollment and access side of things, our immediate response was to make sure students were taken care of and … from the business and financial side we really wanted to make sure no students are missing money that should’ve been dispersed,” Taylor said. “Taking care of students was our main focus and the most important thing to do right away.”

Any student who thinks they may have lost money or had their account compromised are encouraged to contact CSUPD at  970-491-6425 or the Information Security team at soc@colostate.edu.

Collegian reporter Samantha Ye can be reached at news@collegian.com or on Twitter @samxye4.