‘Buy me a prepaid VISA’
Be wary of gift card request scams that seem to be from people you know
Over the past month, we have seen a dramatic rise in a fraud scam targeting both students and staff, known as the Gift Card Scam.
The scammer uses a fake email address pretending to be a Professor, Department Head, or Dean and sends an email to subordinates/staff/grad students found on university web sites.
The scam is quite simply social engineering. A brief email of “Are you available?” is followed up with a claim they are very busy, and could the person please go and buy some gift cards and email the pictures of the codes.
The scammer then cashes in the values on the cards and the victim has no recourse to get their money back.
This is the typical progression of this kind of scam:
- The scammer impersonates someone using a fake email address.
- Students or staff are sent a generic opening email, such as “Are you available?”
- If they get a response, the scammer gives some excuse about why they can’t be contacted by phone.
- The scammer will then make an urgent request.
- Typically, the request is to purchase iTunes cards or some other gift card
- If the scammer obtains the numbers on those cards, they can resell them for profit.
This is an example of what is called ‘email spoofing’ in the world of cyber security.
What is Email Spoofing and how does it happen?
Spoofing, or forging a sender’s address, is a form of social engineering, designed to trick the recipient. The recipient is tricked into opening an email attachment, clicking a link or executing a request such as a wire transfer, invoice or other financial request.
Often the “From” address is forged, and the “Reply-to” address is the attacker’s email address. Unfortunately, the innocent victim whose email address has been forged cannot not do much to protect themselves, but recipients should be wary of responding to suspicious requests.
How do I identify an email spoof?
Recipients of these emails should be wary of the following techniques:
- Unsolicited email involving an online financial service or wire transfer.
- “Soft opening” techniques, such as brief emails asking whether you are in the office today or other seemingly harmless questions.
- Cryptic emails from a VIP stating there is an urgent matter.
- Demanding emails from a customer or vendor asking for a change in banking information or payment requests.
- Attempts to avoid standard procedures, with statements such as “I don’t have time to send a PO or use EPIC.”
- Requests to click links or attachments.
What can I do if I think I’ve received an email spoof?
If you think you have received an email message from a scammer:
- Be careful about replying to the original email with too much information.
- Pay attention to the reply-to address. Is it the same as the “From:” address?
- Call to confirm with the sender if in some cases, the email account may be compromised.
- Hover over suspicious links to reveal the true destination of the URL.
- Send the email to spam [at] umanitoba [dot] ca or infosec [at] umanitoba [dot] ca for a second look.
- Follow procedure: All wire transfers and financial purchases should be confirmed by phone and, regardless of the sender, proper procedures should be followed. Don’t be intimidated by a VIP sender.
Remember: Information Security Starts With You!