DEBT RELIEF SCAMS

Student loan forgiveness scam 2026: why nobody legit charges you a fee

As 43 million federal borrowers face a 2026 repayment restart and new rules, the "pay a processing fee to get forgiven" scam is back at full volume. Here is how to read it.

SB

SafeBrowz Threat Research Organization Security ResearchJune 15, 202611 min read

Why this scam is everywhere again in 2026

Confusion is the scammer's best friend, and 2026 handed them a year of it. Roughly 43 million Americans hold federal student loans, and the rules underneath those loans are in open flux. A federal court vacated the SAVE plan rule in March 2026, and the Department of Education began notifying the 7.5 million borrowers enrolled in it that the plan was finished. On July 1, 2026, new provisions take effect that collapse roughly a dozen repayment options down to a handful, and collections on defaulted loans have resumed. Every one of those headlines is a fresh hook for a scammer to dangle in front of a borrower who is genuinely unsure what happens next.

The authorities have been blunt about it. Federal Student Aid (FSA), the office inside the Department of Education that runs the real programs, publishes a standing guide titled "How to avoid student loan forgiveness scams," and its first rule is the one this whole article rests on: you never have to pay for help with your federal student loans. The Federal Trade Commission has run an enforcement push it nicknamed "Operation Game of Loans," and StudentLoanPlanner maintains a running list of the top student loan forgiveness scams to avoid in 2026.

The enforcement record is recent and concrete. In April 2026 the FTC obtained a court order halting an operation that, the agency alleged, pretended to be affiliated with the Department of Education or loan servicers, falsely promised forgiveness that did not exist, and collected at least $8.8 million from consumers in illegal upfront fees, with monthly charges running as high as $1,400. That is not a typo. Real borrowers paid $1,400 a month to a company for a "service" they could have done themselves, for free, in twenty minutes. In September 2025 a separate operation was permanently banned from the debt-relief industry and ordered to turn over assets. State attorneys general, including the offices in Washington, D.C. and California, have published their own consumer alerts on the same pattern.

What the pitch actually sounds like

The wording rotates across calls, texts, emails, social ads, and search ads, but the skeleton is stable. A live caller or a recorded voice opens by sounding like they already know you. They may cite your loan balance, your servicer's name, or your account number, all of which can be stitched together from data brokers and past breaches. Then the offer lands.

• "Congratulations, you qualify for the 2026 federal forgiveness program. To lock in your spot, there is a one-time processing fee of $399."
• "We are a Department of Education-approved enrollment center. Our specialists will handle your paperwork. The documentation fee is $199 plus $49 a month."
• "The Biden forgiveness window is closing on June 30. Act now or you lose eligibility forever. Pay the enrollment fee today to secure it."
• "To verify your account, we need your FSA ID and password so our team can submit the application on your behalf."

Two of those four are advance-fee fraud: pay money up front for a benefit that is free and that the company cannot actually deliver. The fourth is account takeover. Hand over your FSA ID and the caller can log into studentaid.gov as you, change your contact details and bank account, redirect any real refund, and lock you out of your own loans. Some operations do both, charging the fee and harvesting the login.

What the fake sites look like (illustrative)

The web side of this scam leans on lookalike domains and free hosting. A fake "Department of Education" portal or a fake servicer login page crams in words like "studentaid," "fsa," "forgiveness," "relief," or "gov" and then lands on a cheap top-level domain or a free hosting subdomain that no federal agency would ever use. The destination harvests your FSA ID or your card details. The two red examples below are illustrative free-hosting phishing pages, and you can tap either one to run it through the live checker right below. The real federal sites only end in .gov.

• studentaid.gov — the real, official federal aid site (green, safe)
• ed.gov — the real Department of Education (green, safe)
• student-loan-forgiveness-apply.vercel.app — illustrative phishing page (red, tap to scan)
• fsa-id-verify-portal.pages.dev — illustrative FSA ID phishing page (red, tap to scan)

The trick is always the same: an official word appears somewhere in the string, but never as the real registrable domain. A free-hosting subdomain like *.vercel.app, *.pages.dev, *.netlify.app, or *.github.io is not safe just because the platform behind it is well known. Anyone can publish a page there in minutes, which is exactly why scammers do. The true domain is the part immediately before the first single slash after https://. Everything to the left of that is costume.

Red flags that give it away every time

You do not need to understand the rules of every forgiveness program to spot this. The tells are structural.

• There is an upfront fee. This is the conclusive one. Federal law generally prohibits charging an upfront fee for debt-relief services. Federal forgiveness and repayment plans are free to apply for at studentaid.gov. Any "processing," "enrollment," "documentation," or "service" fee, one-time or monthly, means scam.
• They ask for your FSA ID. Your FSA ID is your password to your federal loans. No legitimate company, servicer, or government office will ever ask you to hand it over. Sharing it is account takeover, not enrollment.
• They claim a special government connection. "Department of Education approved," "official enrollment center," "we have a direct line to FSA." There is no such thing as a private company that is specially authorized to process your federal forgiveness. You go directly to the source.
• There is a countdown. "The program ends June 30," "this is your last chance," "act in the next hour." The real programs run on their own timelines and are not gated by a phone call you have to answer right now. Urgency is the lever.
• They promise instant or total forgiveness. No one can promise immediate or full forgiveness of your loans. Real programs like Public Service Loan Forgiveness and income-driven repayment forgiveness have eligibility rules and timelines that no salesperson can shortcut.
• They want you to sign a power of attorney or "third-party authorization." This lets the company act on your behalf and cut your servicer out of the loop, so you stop seeing the real notices. Do not sign control of your loans over to a stranger who cold-called you.
• The payment method is odd. Gift cards, wire transfer, crypto, Venmo, Zelle, or Cash App for a "government program" is conclusive. The Department of Education does not collect fees this way, because there is no fee.
• The link is not a .gov domain. The real federal sites end in .gov only. A .com, .org, or a free-hosting subdomain claiming to be FSA or the Department of Education is not the real thing, no matter what words it contains.

What SafeBrowz sees on the network

When the SafeBrowz engine examines a fake forgiveness portal or a cloned FSA login page, the structure of the attack is consistent enough to read across all three detection layers. A few patterns stand out.

First, the domains are young, and many sit on free hosting. The destination behind a forgiveness ad or text is often a domain registered within the last few weeks, or a subdomain spun up on a free platform like vercel.app, pages.dev, or netlify.app. No legitimate federal aid portal lives on free hosting or is days old. Layer 1 treats a government-impersonation page on a free-hosting subdomain as suspicious by default, because the platform root being well known never makes an arbitrary subdomain safe.

Second, the structure is a keyword sandwich. The string carries "studentaid," "fsa," "forgiveness," "relief," or "gov" plus a transactional word, then resolves on a host that is not the real .gov registrant. The federal name living anywhere except the genuine registrable domain is itself the signal. SafeBrowz keeps the real federal aid and Department of Education .gov domains in its brand database, so a login form that wears their name on any other host stands out.

Third, Layer 2 cross-references the destination against Google Safe Browsing, PhishTank, URLhaus, and ScamAdviser feeds, plus domain-age lookup and a watchlist of cheap scam TLDs. Many forgiveness-phishing domains surface here once they have been reported, even before content is analyzed.

Fourth, the page content gives itself away. A fake federal seal, a "Confirm your FSA ID to apply" headline, a credential form, and a payment box, all served from a non-.gov host, is a textbook brand-impersonation profile. Layer 3 content analysis catches the impersonation even when the domain is brand new and absent from every blocklist, including pages written in languages other than English to reach borrowers in different communities.

Which brands the attackers clone next

Phishing crews follow the path of least friction: any name a borrower already trusts and is told to log into. The Department of Education and FSA are the obvious wrappers, but the believable next pivots are predictable, and a few are already in rotation.

• Federal loan servicers. The companies that actually bill borrowers, such as MOHELA, Nelnet, Aidvance (EdFinancial), and others, are prime clone targets. A fake "your servicer" login is a direct path to your account.
• StudentAid.gov itself. A pixel-perfect clone of the real federal login is the highest-value FSA ID harvester, because the real site is where the money and the refunds actually move.
• Public Service Loan Forgiveness (PSLF) branding. PSLF is genuinely open and confusing, which makes a fake "PSLF eligibility check" portal especially convincing to nonprofit and government workers.
• Repayment-plan selection pages. With borrowers forced to pick a new plan after July 1, 2026, expect fake "choose your new repayment plan" portals that harvest the FSA ID at the "log in to continue" step.
• Refund and "overpayment" notices. A fake "you are owed a loan refund, verify your bank details" message reuses the same emotional template in reverse and goes straight for banking data.

The defense does not change brand to brand. The name on the page is interchangeable; the structure of the attack, a federal-or-servicer login wearing the wrong domain, is not. That is the whole reason a structural defense beats a per-brand one.

Why browser-side detection beats email and call filtering alone

Call blockers and email filters do real work, but they are fighting the message, and the message is the cheapest part of the operation. Attackers churn through phone numbers, burner email accounts, and fresh ad creatives daily. They keep the pitch on the phone where no filter can read it. They buy search and social ads that put a fake "apply for forgiveness" page at the top of results, which no spam filter ever sees. A filter that misses one in a thousand still lets through plenty when the campaign reaches millions of borrowers at exactly the moment they are anxious about repayment.

The thing that does not change is the destination. To steal anything, the scam has to land you on a page that impersonates the Department of Education or your servicer and asks for your FSA ID or a card number. That page is where the attack is actually committed, and that page is what a browser-layer scanner inspects directly. When you tap the link, a browser extension can recognize that the page is impersonating a federal agency or a servicer on a non-.gov host, or sitting on free hosting, and block it before the form ever loads, regardless of which call, ad, or email delivered it. The call blocker and the browser layer are complementary, but the browser layer is the one standing where the credentials are taken.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including the federal aid and Department of Education .gov domains, plus Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. It flags government-impersonation keyword patterns on non-.gov hosts, free-hosting subdomains wearing a federal name, and cheap-TLD abuse instantly.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, and ScamAdviser, plus domain-age lookup (most forgiveness-scam destinations are less than 30 days old) and 30+ scam TLDs.
• Layer 3 - AI deep scan: content-aware brand-impersonation analysis in 100+ languages catches a brand-new FSA or servicer lookalike that no blocklist has seen yet, including credential-harvest pages built to mimic the real federal login.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

For people who do not want to install anything, the same engine powers the free public URL checker. Paste any link from a forgiveness call, text, or ad and get a verdict in seconds.

What to do right now

If a forgiveness pitch just reached you, here is the whole correct response.

1. Do not pay a fee, ever. Federal forgiveness and repayment programs are free. The moment money is requested up front, the conversation is over. Hang up, delete the text, close the ad.
2. Never share your FSA ID. Your studentaid.gov login is yours alone. No servicer, company, or government office needs your password to do anything legitimate.
3. Go straight to the source. Open a new browser tab and type studentaid.gov yourself. Everything you can be enrolled in, every forgiveness program, and your real loan details are there, free. The Department of Education's own site is ed.gov.
4. Call your real servicer from the official site. Find your servicer's phone number by logging into studentaid.gov, not from the number a caller gave you. If you are unsure who your servicer is, studentaid.gov tells you.
5. Report it. File with the FTC at reportfraud.ftc.gov, send feedback to Federal Student Aid through the official channel on studentaid.gov, and file a complaint with your state attorney general. Include the company name, the number, and any link.

If you already paid a fee, dispute the charge with your bank or card issuer right away and ask about a chargeback. If you paid by gift card, wire, or crypto, report it to the FTC immediately and contact the payment provider, because speed matters. If you handed over your FSA ID, log into studentaid.gov from a device you trust, change your password at once, check that your contact details and bank account on file have not been altered, and turn on two-factor authentication. If you shared your Social Security number or full personal details, go to identitytheft.gov for a step-by-step recovery plan and place a free fraud alert with one of the credit bureaus. Our full "I got scammed, what do I do now" walkthrough covers the first-hour playbook in detail.

How real federal forgiveness actually works

The clearest defense against the scam is knowing the genuine path, because it is short and free. Every legitimate federal forgiveness and repayment program is applied for directly at studentaid.gov, at no cost, with no middleman. Public Service Loan Forgiveness, income-driven repayment forgiveness, borrower defense, and total and permanent disability discharge are the major programs, and as of mid-2026 they remain open and processing applications. You sign in with your own FSA ID, you fill out the form yourself, and you keep working with your assigned servicer. There is no "approved enrollment center," no fee, and no special connection that anyone can sell you. If a company offers to do for a fee what you can do for free in under half an hour, the fee is the entire product.

Frequently asked questions

Do I have to pay a fee to get my student loans forgiven?

No. Federal student loan forgiveness and repayment programs are always free to apply for, and the only official place to do it is studentaid.gov. Federal law generally prohibits charging an upfront fee for debt-relief services. Anyone charging a "processing," "enrollment," "documentation," or "service" fee for forgiveness is a scammer. The FTC has repeatedly shut down operations that collected millions in exactly these illegal fees.

A caller knew my loan balance and servicer. Doesn't that prove they are official?

No. Scammers buy and trade personal data from brokers and past breaches, so knowing your balance, your servicer's name, or your account number is not proof of legitimacy. It is a tactic to build trust fast. Never act on a call, text, or email about your loans. Hang up and log into studentaid.gov yourself to see your real account.

Is it safe to give a company my FSA ID so they can apply for me?

No, never share your FSA ID. It is your password to your federal loans. A company with your FSA ID can log in as you, change your contact and bank details, redirect refunds, and lock you out. No legitimate servicer or government office will ever ask for your FSA ID. If you already shared it, change your password at studentaid.gov immediately, check your account details, and turn on two-factor authentication.

The message said the forgiveness program is ending soon. Is that true?

Treat any "act now or lose eligibility" deadline as a pressure tactic. The real federal programs run on their own timelines and are not gated by a phone call or ad you must respond to immediately. Policy is changing in 2026, but the way to learn what applies to you is to read it directly at studentaid.gov, not to pay a stranger who is rushing you.

What does a real federal student aid website address look like?

Real federal sites end in .gov. The official aid site is studentaid.gov and the Department of Education is ed.gov. Any address ending in .com or .org, or a free-hosting subdomain such as one ending in .vercel.app, .pages.dev, or .netlify.app, that claims to be Federal Student Aid or the Department of Education is fake, even if the words "studentaid," "fsa," or "forgiveness" appear in the link.

I already paid a forgiveness company. Can I get my money back?

Possibly. Dispute the charge with your bank or card issuer and ask about a chargeback. If you paid by gift card, wire, or crypto, report it to the FTC at reportfraud.ftc.gov immediately and contact the payment provider, because recovery depends on speed. In some enforcement cases the FTC has returned money to harmed consumers, so filing a report also helps you appear in any future refund program.

How do I report a student loan forgiveness scam?

File a report with the FTC at reportfraud.ftc.gov, send feedback to Federal Student Aid through the official channel on studentaid.gov, and file a complaint with your state attorney general's office. Include the company or caller name, the phone number or email, any link, and screenshots. If your identity may be exposed, also start a recovery plan at identitytheft.gov.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Add to Chrome Add to Firefox Add to Edge