studentaid.gov actually helps the scammers with this, since it's easy for them to verify if your email address is registered with studentaid.gov. The site should state that it's going to send a password reset IF the email is on file but provide no indication if the email is registered or not. This makes it harder for the scammer to determine the legitimacy of the email.

The email sends a PIN to unlock and access the account. Scammers will ask for the PIN (they start a password lost action), and if that's provided, gives them access to the studentaid.gov account. They tell you it's for verification that you are you, and don't tell you that they are going to log into your account as you.

Sending a PIN to the account probably isn't a good idea, since if you give that PIN to a scammer, they can get into your account. A password reset link would be better, since you would have to have access to the email, and that's not something you could give to a scammer.

Simple changes could help reduce the impact of this scam.