Hello Scammers, This Is an Applicant — Should I Tell You the SMS Code? — No Thanks, We'll Do It Ourselves

Most high school graduates encounter Russia's government services portal (Gosuslugi) when submitting university applications. This article provides valuable guidance for those facing the university admissions process next year.

This year, I experienced firsthand the admissions chaos as a parent. Early on, I remarked: "If I were a scammer, I'd target applicants." But as the saying goes, "You're not alone in your cleverness — smarter people work in call centers."

Our child's government account was compromised.

Anticipating objections: "He shared the SMS code himself!" Actually, he didn't.

Disclaimer

This describes one specific case involving one applicant at one university. However, the scam methodology applies broadly across various situations and demographics.

Background

The applicant applied to Moscow State University (MSU), which administers Additional Entrance Exams (DVI). Since the applicant held an award from a Level 1 olympiad (11th grade), the exam was automatically credited as 100 points.

The First Call

Scammer: "Hello, this is the admissions office. You're taking the exam tomorrow?"

Applicant: "Hello. I don't need to take it — I'm an olympiad winner."

Scammer: "Oh, right, sorry."

The scammer ended the call. This established psychological "bait." Without asking anything directly, the scammer created the impression of a system glitch. This primed the applicant for emotional manipulation during the second call.

The Second Call

About a week later, before the next exam session:

Scammer: "Hello, admissions office. Why aren't you taking the exam?"

Applicant: "I already told you — mine is automatic!!!" (emotional state triggered)

Scammer: "Our system shows nothing marked. We need to fix this or they might miss your olympiad qualification."

Applicant: "How do I do that?"

Scammer: "Go to the Education Ministry website. Search 'Ministry of Education'..." (the applicant opens the legitimate government site) "...now click here, then here..."

Applicant: "There's no such option!"

Scammer: "You're clicking wrong. Can't find it? Let me call you on WhatsApp — show your screen, I'll guide you."

The applicant enabled screen sharing, and an SMS from the government services platform arrived. The scammer could see the code on the shared screen.

Our Response

The applicant immediately called his parent. Accessing the account from home proved impossible.

Fortunately, the parent was nearby. They grabbed identification and rushed to the Multifunctional Center (MFC). Staff immediately blocked the account, logged out all sessions, and provided an unlock code.

Five Safety Tips

Tip 1: Use the MFC computers to enter your unlock code (it's one-time use). If you make an error at home, you'll need another trip. After unlocking, change your password immediately — don't trust public computers.

Tip 2: Set a security question during registration. Scammers typically reset this after stealing credentials, but if it exists, they'll be forced to act quickly with the stolen SMS session. This constraint works against them.

Tip 3: Enable login notifications for government services.

Tip 4: Establish a code phrase with your child. Even if they recognize your voice calling from your number, requesting any code should trigger: "What did we do last summer?" This verification defeats impersonation.

Tip 5: After registration, disable SMS notifications for government services in contact settings (Android).

What the Scammers Did With Access

While we ran to the MFC, they acted quickly.

In the drafts: a military contract application. However, they failed — the account holder wasn't yet 18.

They made several follow-up calls. The applicant didn't answer, then blocked them. Presumably, they were confused about missing military ID details.

Likely, extortion would have followed: "Now you're enlisting. Unless you don't want to..."

Days later, a ridiculous call from "Dima from the military office" occurred. Simple social engineering betting on luck.

Additional Crucial Information for Applicants and Parents

Your data will be stolen. Period.

Phone numbers, names, target universities — all compromised. Olympiad winner lists are public. Universities publish exam dates and conditions publicly. If a caller seems to know unique application details, they don't. They've accessed open sources and leaked databases.

Universities may legitimately call you.

One institution requested a JPG scan (they couldn't read PDF — apparently it happens). Another needed transcript documentation. Two universities called offering admission without entrance exams, requiring written consent by specific deadlines.

Universities never contact via messaging apps. Save admissions office phone numbers. Verify email addresses against official websites.

Legitimate calls occur well before application deadlines (mid-July calls saying "you must submit by August 1st"). You should never experience pressure: "Urgent! Now! Share your SMS code! Otherwise, you won't get in!"

The correct response: listen, hang up, call the admissions office directly asking, "Did you just call me?"

Postscript

To MSU IT professionals: When listing applicants who must take exams, mark those exempt with "100 points automatic" or any visible indicator. Otherwise, olympiad winners panic seeing themselves listed: "What?! I'm not supposed to take this!" Confusion and stress open doors for criminals.