Exam fraud has become a coordinated, multi-platform industry. Brand protection in the examinations sector is still relying on legal letters and manual scrolling. It’s time for a cyber-led approach.
Spend ten minutes in the right corners of Facebook, Telegram, TikTok, even Chinese-focused platforms like RedNote, and you can find offers to pay your way past almost any major language-proficiency or professional-certification exam. Not a study guide, but the outcome itself. Fake certificates printed to spec. “Guaranteed” score upgrades. Individuals soliciting leaked exam content. Accounts impersonating official test providers, logos and lookalike domains included, harvesting candidate data and payments along the way.
Despite not getting a lot of airtime, exam fraud isn’t a nuisance on the fringes of the examination and education industries. Academic fraud (diploma mills, fake degrees, contract cheating and the services around them) is now estimated to be worth around $21 billion a year globally. Degree fraud alone has been described as a roughly $7 billion international industry, with millions of fake certificates already circulating the job market, many sitting undetected in HR files for years. And the supply is industrialising: in an April 2025 survey, 67% of large employers reported a rise in job-application fraud, much of it attributed to AI tools used to fabricate qualifications.
For an exam program, every one of those fraudulent credentials is your name on a worthless certificate. The exams that gatekeep immigration, university admission and professional licenses are exactly the ones worth attacking – and, for the most part, the sector has been left undefended.
The threat is growing, and it's aimed at your candidates
Cheating that used to be opportunistic is now commercial and scaling. A systematic review of decades of research estimated that as many as one in seven recent graduates may have paid a third party to complete their work – potentially around 31 million people worldwide – with the share admitting to it climbing to 15.7% in studies since 2014.
More pointed for any organisation running a language exam: research into commercial contract cheating found that having a first language other than English was the single strongest predictor of a student paying for it. The population most exposed to this market is, by definition, the population sitting English-language proficiency tests or trying to gain professional qualifications in the anglosphere where English is not their first language. The demand is concentrated in the sector rather than incidental to it.
How modern exam fraud actually operates
The defining feature of today’s threat isn’t volume. It’s coordination – and the exam sector’s own institutions have started to say so plainly.
The Joint Council for Qualifications, which represents the UK’s largest exam boards, has reported a rise in social media accounts selling what they claim are genuine exam papers across Instagram, TikTok and Snapchat – and noted that these accounts usually trace back to a single person running many profiles, rather than a crowd of separate sellers. Advertised prices for a single paper have run from a few pounds to several thousand (across our own clients we’ve seen certificates for sale from $500 USD up to $5,000 USD).
The scale on any one platform is its own warning. During a single recent exam season in Kenya, a multi-agency investigation by the national exams council and criminal investigators identified more than 30 separate social-media platforms being used to sell and share exam material, and arrested the administrators behind Telegram groups with followings in the tens of thousands.
This is the pattern everywhere now. A single operator no longer runs a single page. They run a campaign with parallel accounts across multiple platforms, each under a different identity, all funnelling traffic back to the same fraudulent infrastructure. To a keyword scanner, that reads as several unrelated, low-priority hits. In reality it’s one adversary, one set of infrastructure, and one problem that has to be solved across every surface at once or it simply regrows.
The fraud lives wherever candidates already are: mainstream social networks, encrypted messaging, short-video apps, regional platforms serving specific immigration corridors, and a constantly rotating supply of malicious domains. No single platform, and no single takedown, contains it.
Why the current legacy playbook keeps losing
Two incumbent approaches dominate, and both were built for a different problem.
The first comes from the exam-proctoring vendors – e.g. the companies that control what happens inside the exam room. Online detection and takedowns are offered as a bolt-on, not a core capability, and the underlying method is usually script-based keyword monitoring. That fails in two directions at once: it misses anything that doesn’t match a brittle keyword list, and floods the client with false positives on everything that coincidentally does. It has no concept of who is behind a post, whether two listings are the same actor, or how a campaign is structured.
The second is the manual, legal enforcement model: cease-and-desist letters, DMCA notices, and paralegals or low-cost teams scrolling the web by hand to find and report infringements. It’s slow, it doesn’t scale, and it catches a fraction of the abuse. When exam boards do manage to shut down a fraudulent operation, it has typically taken a court order against a single target – UK exam boards, for instance, secured a High Court injunction to close one website selling fake GCSE and A-level certificates, but described it as just one step in an ongoing campaign against a trade that keeps throwing up such sites. Meanwhile testing authorities are reduced to publicly warning candidates about fraudulent Telegram channels and insisting they are being blocked — even as aspirants point out that the same operators keep running for weeks. Letters and injunctions move at the speed of legal process; the fraud moves at the speed of a new account.
Neither approach reckons with the networked reality of the threat. They treat each infringement as an isolated item in a queue, when the actual problem is shared infrastructure operated at scale. The threat has become technology-driven and organised. The response has stayed process-driven, manual and reactive. That gap is where the fraud thrives.
A cyber problem deserves a cyber response
If the adversary operates like a coordinated network, the defence has to think like one too: continuous automated detection instead of periodic manual sweeps, enforcement that moves at the speed of the abuse rather than the speed of legal process, and intelligence that links individual listings back to the actors and infrastructure behind them.
(unphish platform dashboard)
That’s the principle unphish is built on. A few things make the difference in practice:
Detection that understands context, not just keywords. unphish runs a five-layer framework: large-scale data aggregation across web, social and messaging platforms; rule-based filtering; machine-learning classification; generative-AI contextual reasoning to interpret intent and strip out noise; and human validation before any action. The result is high-fidelity detection that catches disguised, sophisticated fraud while keeping false positives low – the opposite of a keyword script.
Enforcement through the platforms, not the courts. Rather than relying on legal letters, unphish removes infringing content directly through back-channel enforcement partnerships with the platforms themselves – this lets us remove these IP infringements before they’ve done the damage that matters.
Campaign intelligence, not a list of links. Because unphish maps actors across platforms, it can recognise when a dozen “separate” listings are one operator on shared infrastructure, and dismantle the campaign rather than chasing its symptoms one by one.
The sector is overdue for this
The economics of exam fraud aren’t going to soften. The credentials are valuable, the candidates are motivated, the demand is concentrated in exactly the populations these exams serve, and the platforms hosting the abuse keep multiplying. What’s been missing is a defence designed for the threat as it actually exists today. A defence that is coordinated, automated and everywhere at once, rather than for the slower, more localised problem of a decade ago.
The certification and language-testing industry has been one of the last serious sectors to be left behind on brand protection. The right strategy now isn’t more letters and more manual scrolling. It’s a cyber- and technology-led approach that detects continuously, enforces directly, and treats fraud as the networked operation it has become.