Be Aware of Gift Card Scams and other Phishing Attacks

What are Gift Card Scams?

The story starts with an innocent email from a supervisor, colleague, or friend asking for your help.  They tell you a tale about how they need some gift cards for gifts to family, friends, potential donors, etc.  Unfortunately, they are unable to make the purchase themselves, could you help them out?  And of course, it is an emergency, please do it as quickly as possible.  Did you just fall for a gift card scam? [1]

Why are we seeing this all of a sudden?

Across academia and the corporate world, we have seen an increase in this type of attack.  Most likely because it works and is hard to trace.

It isn't exactly new, though.  We have seen this same type of attack come in the form of wiring money, sending a check, or helping pay for an emergency operation.  And then there are the Nigerian Prince or 419 scams that have been around forever [2].

How do I spot scams in the future?

I like to say that there are generally two types of phishes.  Things that are too good to be true, and things that are too bad to be true.  Regardless of which one you are seeing, it always comes with an emergency and asks you to act quickly.  For the most part, humans are helpful creatures, and we respond to emergencies.  We want to help out, and sometimes forget to fact check before we do.  The scammers know this, and are taking very lavish vacations with our money because of it.

If the email says it needs to be immediate, you should have a big red flag waving in the back of your mind.  If the person really needed something immediately, why would they email?  Wouldn't they call you on the phone or stop by your office?  If it is a phone call, try calling them back on a known good number (not the fake one they just gave you over the phone).  When spending a large sum of money, you really want to make sure it is correct.

If your boss or colleague makes a habit of sending emergency emails, have a chat with them about why that isn't such a good idea.  Come up with a procedure and stick to it.

Check with a colleague or friend.  If you have even the slightest amount of suspicion, just ask someone to take a look and get their opinion.  It is better to err on the side of caution.

How do I learn more?

Glad you asked.  Take a look at the Institute for Advanced Study's Information Security website at https://security.ias.edu.  You'll find articles like this one, my twitter feed, lists of resources for free to cheap Information Security Tools and more.  Take a look at our phish-bowl, which houses a large number of sample phishing emails that we've received in the past.  Did you get a phish?  Send us a copy to phish@ias.edu.  You can find security awareness seminars from years past and more.  You can also follow me on Twitter!

If you are IAS Faculty or Staff, you can contact me about setting up a Security Awareness Seminar for your group as well.

Stop.  Think.  Connect.

So remember, you are our first line of defense.  Stay aware and diligent in finding scams to keep us all protected.

Safe Computing,
Brian

[1] https://www.consumer.ftc.gov/articles/paying-scammers-gift-cards
[2] https://www.psychologytoday.com/us/blog/out-the-ooze/201808/why-we-still-fall-the-nigerian-prince-scam