Colleges have a new worry: ‘Ghost students’—AI powered fraud rings angling to get millions in financial aid

Amanda Gerut is the west coast editor at Fortune, overseeing publicly traded businesses, executive compensation, Securities and Exchange Commission regulations, and investigations.

The “ghost-student” epidemic that has been attacking California’s community college system is infesting the nation, with colleges in Arizona, Indiana, Oregon, New Jersey, and Michigan working to defend their institutions from AI-powered fraud rings trying to blend in with legitimate students heading back to school. 

Synthetic or “ghost” students refers to masses of falsified or stolen identities scammers use to flood college application and enrollment portals with thousands of submissions in minutes—usually during holidays, weekends, or other times admissions

The Department of Education launched a national program in June to root out identity theft at colleges and has required new identity verification steps for the Fall 2025 start of the school year. The DOE found $90 million had been disbursed to ineligible students, including $30 million that went to stolen identities of deceased individuals. 

Kiran Kodithala, founder of tech firm N2N Services and the LightLeap.AI platform that has been rolled out among colleges across the country to ward against ghost students, said the percentage of fraudulent students in California’s community college system is about 26% across 75 colleges and 1.2 million applications. Outside of California, the LightLeap system has found about one in five applications to be a ghost student. That fraud rate applies to 24 non-California colleges with roughly 340,000 applications processed this summer. 

In rural Oregon, officials at Lane Community College are bracing for the fall 2025 onslaught from ghost students, Dawn Whiting, associate dean of enrollment management, told Fortune. The college was first attacked in fall 2022 after it had just launched a new streamlined application process designed to simplify enrollment for students. That weekend, Lane saw about 1,000 applications fly through its system, which was highly unusual for a college with roughly 5,000 students. 

Whiting and her team saw the usual fraud markers—similar area codes, email addresses, and phone numbers across hundreds of applications. Whiting disabled all 1,000 or so student email addresses and required additional identity-verification measures. But the scammers pivoted.

But the fraudsters zig-zagged again. In summer 2024, about 300 applications flowed in all at the same time, said Whiting, and the school dropped all of them from classes. Now, Lane is weighing whether to bring in a third-party AI firm to help strengthen its defenses. Its

“We are open access,” said Colman Joyce, vice president of student services at Lane. “Having students go through more steps to enroll adds more barriers and we’re a community college. A number of our students are not tech savvy when they come here.”

In California, community colleges are required to accept any eligible student and there is no application fee to apply. Kodithala said there’s been debate about whether colleges in other states would see the same attack surges as California, particularly if there were additional hurdles to clear in applying, enrolling, and getting registered for classes such as an application deposit or fee. So far, it runs the gamut with or without a fee in place, he said. In schools outside of California, the rate is about 8%  to 15% fraudulent applications, Kodithala said.  

Craig Munson, Minnesota State’s chief information security officer who oversees 26 community and technical colleges and seven universities, said the state is using AI and has partnered with other schools and security consortiums to find out new tactics ghost students are using to try to infiltrate school systems. 

“Just as we leverage AI to protect ourselves, the attackers also continue to leverage it in new and interesting ways,” Munson said. “It’s sort of like an arms race. Every six months, the attackers tend to stop one way of doing things and move to a different tactic.” 

Munson and others in similar roles declined to comment on the specific fraud markers they’re seeing this fall, but the tactics of fake students a few years ago—which are no longer successful—involved made-up names, randomized email addresses that looked similar, and the same addresses and phone numbers tied to applications over and over again. The attackers have since changed gears. 

For schools, the issue is wrought with complexity. Community colleges are meant to be open-access education institutions, affordable to those looking to get an associates degree, work toward a career change, or pursue a passion. As California has grappled with the ghost student swarms, officials have debated instituting a nominal fee to add friction to the system of applying. 

Minnesota’s system includes three universities that charge a minimal application fee, four that don’t, as well as seven colleges with a fee and 19 that are free. However, Kodithala noted that adding in an application fee invites

“It makes it easier for them to steal because they know that all they have to do is make a payment,” said Kodithala.

Travis Blume, vice president of student affairs and enrollment at Michigan’s Bay de Noc Community College, said the school hasn’t seen hordes of ghost students the way other schools in Michigan have, but he’s prepared if they do. And because the school has only about 2,000 students at its two locations,

As a leader at a community education institution, Blume struggles with the same issues of adding more friction into a system that is meant to be as accessible as possible. “Community college is about getting people in and getting them educated,” he said. 

Still, despite the vulnerability of community institutions against AI-enabled fraud schemes, experts are working to protect the financial aid available to students.

“Fraud in higher-education is something that should be looked at with all seriousness and should be part of an overall risk calculation,” said Minnesota’s Munson. “It’s important to have strong ties with both local and federal law enforcement and with information-sharing groups so that you can get appropriate threat intelligence and be flexible in your responses. As the attackers change, we need to change with them.”