Fake Aidvantage / MOHELA / Nelnet / EdFinancial / Great Lakes / Navient / PHEAA federal student-loan SERVICER payment-failed lure — "your auto-pay failed / account on hold, update payment within 24 hours or your loan will enter default" targeting 44M+ US federal student-loan borrowers; Oct 2023 payment-resumption chaos (after 3+ year pause) + 2024-2026 SAVE plan court-order ping-pong + post-2022 servicer consolidation (Navient+PHEAA exited, 6M+ moved to Aidvantage, 7M+ PSLF to MOHELA) all primed borrowers for servicer-specific "payment failed" emails; federal-default threat is REAL (destroys credit + wage garnishment + tax-refund blocks); harvests loan account number + SSN + DOB + bank routing (attacker reroutes future auto-pay) + servicer login; distinct from `fake-student-loan-forgiveness-phish` (Round 144, promises forgiveness — opposite attack shape) and iter 932 FAFSA-deadline (targets new applicants)

Fake "your Aidvantage / MOHELA / Nelnet / EdFinancial / Great Lakes / Default Resolution Group federal student-loan auto-pay failed or your account is on hold — update your payment method within 24 hours or your loan will enter default" email targeting the 44M+ US federal-student-loan borrowers. Why this lure converts heavily in 2024-2026: (1) **October 2023 payment resumption** — the federal student-loan payment pause ended after 3+ years, and millions of real "update your payment method" emails went to borrowers who had forgotten their original payment info or whose bank accounts had closed during the pause. The template shape is deeply familiar. (2) **2024-2026 SAVE plan litigation** — the Biden SAVE income-driven repayment plan has been enjoined, reinstated, and partially-enjoined in a rolling sequence of court orders. Borrowers are genuinely confused about which plan they're on and what their required payment is. "Your payment failed" is plausible because it might actually be true this month. (3) **Post-2022 servicer consolidation** — Navient exited federal servicing, PHEAA exited, multiple servicers merged. Aidvantage (Maximus) absorbed 6M+ borrowers; MOHELA absorbed 7M+ PSLF loans. The "you have a new servicer" confusion primed unfamiliar-sender emails to feel legitimate. (4) **Default threat is real and terrifying** — federal-loan default destroys credit for 7 years, triggers Treasury-Offset wage garnishment up to 15%, blocks tax refunds, blocks federal-benefit payments. Borrowers act fast on default threats. Attack harvests: loan account number, servicer-specific login, SSN (required on real servicer account pages so expected on phish), bank routing + account number for fake "immediate payment" (attacker reroutes future auto-pay), date-of-birth (on "verify identity" forms). Post-compromise: attacker reroutes auto-pay to attacker ACH account (victim's next real payment goes to scammer), files fraudulent forbearance/discharge paperwork in victim's name, sells student-loan-identity bundle on dark markets at $200-500 because SSN + DOB + address are included. Distinct from `fake-student-loan-forgiveness-phish` (Round 144) which covers SCAMS PROMISING ILLEGITIMATE FORGIVENESS ("your loan will be forgiven, pay $99 processing fee") — opposite attack shape. Distinct from `fake-fafsa-deadline-lure` (iter 932) which targets NEW applicants filing aid applications — this signal targets EXISTING borrowers with active loan accounts and real servicers. Fires when body references Aidvantage / Maximus Education / MOHELA / Nelnet / EdFinancial / Great Lakes / Default Resolution Group / Navient (legacy) / PHEAA (legacy) / FedLoan / student loan servicer/account/payment / federal student loan / Direct Loan / SAVE plan / IDR plan / Income-Driven Repayment / PSLF / Public Service Loan Forgiveness AND contains payment-failed / declined / rejected / bounced / auto-pay-failed / on-hold / will-default / entering-default / update-within / verify-identity / 24-hour urgency. Excludes aidvantage.com, navient.com, mohela.com, nelnet.com, nelnetinc.com, edfinancial.com, myfedloan.org, pheaa.org, mygreatlakes.org, studentaid.gov, studentaid.ed.gov, ed.gov, fsapartners.ed.gov, maximus.com, ecsi.net, accessgroup.org, plus blanket `.gov` + `.edu` allowance for federal communications. Auto-classified as danger via the `-lure` suffix.