Gift Card Scams
Gift Card Scams
Here is how it works...
“Can you do me a favour?”
“Quick task for you...”
This is often how a gift card scam begins. If you reply, the next email will ask you to buy a gift card on their behalf. Usually this needs to be done with some urgency, they will pay you right back, and they can’t talk right now.
These emails are not what they seem to be and are – most likely – illegitimate and fraudulent! They are impersonating someone to try to trick you into doing something for them. This is a type of phishing.
What to do
If you receive an email like this then do not follow the instructions in the email. Instead, follow these steps:
- Do not reply to the sender of the message.
- Contact the person whose name appears in the email by using their genuine UBC email address or cellphone to find out if this was a genuine message and, if not, advise them that someone is impersonating them.
- Forward the email as an attachment to email@example.com immediately and notify your colleagues that there is a fraudulent email circulating.
If you already followed the instructions to purchase a gift card, immediately contact firstname.lastname@example.org for guidance.
How do I recognize this type of phishing email?
Attackers know ways to trick you into falling for a phishing message. They particularly target units or departments with new senior leadership (i.e. a new Dean or Director) and we see an overall uptick at busy times of the year with attacks relevant to the time of year (i.e. school start-up or public holidays) as well as taking advantage of current events (Olympics, soccer championships, COVID-19, etc.).
Phishing messages can come in many different disguises, from sophisticated deception to obvious fraud. Watch out for these common characteristics of gift card phishing emails:
- Non-UBC Email (“CAUTION: Non-UBC Email” indicator at the top of the body of email)
- Sense of urgency, time constraints, very brief language, poor grammar, spelling or formatting
- Is the email written in the usual style of the person?
- Requests to purchase one, or multiple, Gift Cards
- Display name doesn’t “match” the email address
- Email signature doesn’t seem right
- Links that don’t look quite right (e.g. www.u-bc.ca instead of www.ubc.ca)
It is important to understand that gift card scams are prevalent across the world, and we frequently see them at UBC. The way that they usually work is that a scammer will impersonate someone senior at UBC. They will reach out to colleagues and ask if they are free, before usually suggesting that they are too busy to talk in-person or by phone but that they need assistance with purchasing one, or multiple, gift cards. Often the scammer will say that the gift card needs to be a physical card, and they need you to scratch the card to reveal the code on the back. Once you do this, you have essentially given cash to the attacker.
The attacker will spoof the display name so that it appears to be coming from the person being impersonated. Often, a scam will target an entire lab, department or one person’s direct reports. UBC’s organization structure and directory is openly available on public-facing websites, which makes it easy for attackers to get contact information, or see when there have been new senior hires in faculties and departments. There are safeguards in place to protect UBC against these scams, such as the external email banner, but because the actual content of the email doesn’t contain malicious code, we cannot rely on technology to block these. Instead, we have to rely on the diligence of our workforce to know what to look for and to not respond.
You can better protect yourself and UBC by following these simple steps:
- Educate yourself by regularly checking new content on the Privacy Matters website and attending “Focus on” sessions.
- Have internal processes, such as an expenditure authorization policy in place, for your faculty or department. This policy should establish clear approval levels for any expenditures/payments to safeguard you and UBC.
- Talk to your team about how they can validate any urgent requests. The most common strategy is that leaders tell their teams that they can call or text their cell phones any time of day or night and the leader will respond – even if they’re in an important meeting and cannot be disturbed (hint: this is a tactic used by the criminals “I’m in an important meeting and can’t be disturbed, please reply be email only” – that’s a big Red Flag)
- Ensure that your entire team knows and understands these policies and processes.