Since August 2024, there has been a significant increase in phishing attacks targeting U.S. universities. Three distinct campaigns have emerged, exploiting trust within academic institutions to deceive students, faculty, and staff. One campaign used compromised educational institutions to host Google Forms for phishing. Another involved cloning university login pages and re-hosting them on attacker-controlled infrastructure. A third campaign targeted staff and students in a two-step process, first phishing faculty credentials and then using compromised accounts to target students. These attacks aim to steal login credentials and financial information, often timed to coincide with key dates in the academic calendar. The campaigns employ various tactics to increase perceived legitimacy and perform payment redirection attacks.