From Ann Arbor to San Diego, a wave of phishing texts, emails, and calls has turned student and faculty phones into the entry point for campus-wide breaches. These are real cases — and the question is no longer if your campus is next, but when.
Eighteen campuses, one phishing kit. From April to November 2025, one crew used the Evilginx toolkit to clone campus sign-in pages and steal the session cookies that defeat multi-factor authentication, hijacking student accounts even where MFA was switched on.
The University of Michigan ranked among the campaign's top five targets. Branded links sent by text and email funneled students to look-alike sign-on portals; one tap on a phone handed attackers a live session.
UC Santa Cruz and UC Santa Barbara topped the same target list; the University of San Diego was the first confirmed victim on April 12, 2025, and Virginia Commonwealth University rounded out the top five. On phones, shortened links hide the cues that tip off desktop users.
Harvard University fell to a phone-based vishing call in late 2025 that exposed alumni and donor systems. Smishing warnings at Montclair State and account-hijacking phishing at Cal State Long Beach prove every tier of higher ed is a target.
The University of Pennsylvania was hit twice in autumn 2025. Attackers used social engineering to steal a single sign-on login that was exempt from MFA, then blasted an offensive email from official Penn addresses.
Princeton University lost an Advancement database in November 2025, spilling alumni, donor, and student contact details that fuel the next wave of targeted phishing texts.
Texas Tech Univ. Health Sciences Center — SSNs, medical & financial data (2024)
Columbia University systems breached (2025)
University of Phoenix records compromised (2025)
And it scales: one supply-chain attack on the MOVEit file-transfer tool reached roughly 900 U.S. institutions through the National Student Clearinghouse.
On-device AI detects zero-day threats with no cloud lookups — and keeps working offline.
Absolute on-device privacy: sensitive personal data never leaves the phone.
Stops phishing, malicious apps, and network and device attacks — all four threat vectors.
Recognized as a Leader in the Forrester Wave for mobile threat defense.
All information provided herein is non-confidential and is in the public domain and readily available to any interested party.