‘Buy me a prepaid VISA’
Be wary of gift card request scams that seem to be from people you know
One of the most recent phishing scams hitting institutions is the gift card scam from a fake email address of a Dean, Department Head or Director.
This is the typical progression of this kind of scam:
- The scammer impersonates the unit head with a fake email address.
- Staff within the unit are sent a generic opening email, such as “Are you available?”
- If they get a response, the scammer gives some excuse about why they can’t be contacted by phone.
- The scammer will then make an urgent request.
- Typically, the request is to purchase iTunes cards or some other gift card
- If the scammer obtains the numbers on those cards, they can resell them for profit.
This is an example of what is called ‘email spoofing’ in the world of cyber security.
What is Email Spoofing and how does it happen?
Spoofing, or forging a sender’s address, is a form of social engineering, designed to trick the recipient. The recipient is tricked into opening an email attachment, clicking a link or executing a request such as a wire transfer, invoice or other financial request.
Often the “From” address is forged, and the “Reply-to” address is the attacker’s email address. Unfortunately, the innocent victim whose email address has been forged cannot not do much to protect themselves, but recipients should be wary of responding to suspicious requests.
How do I identify an email spoof?
Recipients of these emails should be wary of the following techniques:
- Unsolicited email involving an online financial service or wire transfer.
- “Soft opening” techniques, such as brief emails asking whether you are in the office today or other seemingly harmless questions.
- Cryptic emails from a VIP stating there is an urgent matter.
- Demanding emails from a customer or vendor asking for a change in banking information or payment requests.
- Attempts to avoid standard procedures, with statements such as “I don’t have time to send a PO or use EPIC.”
- Requests to click links or attachments.
What can I do if I think I’ve received an email spoof?
If you think you have received an email message from a scammer:
- Be careful about replying to the original email with too much information.
- Pay attention to the reply-to address. Is it the same as the “From:” address?
- Call to confirm with the sender if In some cases, the email account may be compromised.
- Hover over suspicious links to reveal the true destination of the URL.
- Send the email to spam [at] umanitoba [dot] ca or infosec [at] umanitoba [dot] ca for a second look.
- Follow procedure: All wire transfers and financial purchases should be confirmed by phone and follow proper Regardless of the sender, proper procedures should be followed. Don’t be intimidated by a VIP sender.
Remember: Information Security Starts With You!