MFA Now Required for VPN

Please be advised that multi-factor authentication (MFA) is now required to connect to myVPN - Learn More

Gift Card Scams

Student on laptop

“Can you do me a favour?”

This is often how a gift card scam begins. If you reply, the next email will ask you to buy a gift card on their behalf. Usually, this needs to be done with some urgency, they will pay you right back, and they can’t talk right now.

How Do Gift Card Scams Work?

Gift card scams are prevalent across the world, and we frequently see them at UBC. The way that they usually work is that a scammer will impersonate someone senior at UBC. They will reach out to colleagues and ask if they are free, before usually suggesting that they are too busy to talk in person or by phone but that they need assistance with purchasing one, or multiple, gift cards. Often the scammer will say that the gift card needs to be a physical card, and they need you to scratch the card to reveal the code on the back. Once you do this, you have essentially given cash to the attacker. 

The attacker will spoof the display name so that it appears to be coming from the person being impersonated.  Often, a scam will target an entire lab, department or one person’s direct reports. UBC’s organization structure and directory are openly available on public-facing websites, which makes it easy for attackers to get contact information, or see when there have been new senior hires in faculties and departments. There are safeguards in place to protect UBC against these scams, such as the external email banner, but because the actual content of the email doesn’t contain malicious code, we cannot rely on technology to block these. Instead, we have to rely on the diligence of our workforce to know what to look for and to not respond.

 

Man confused holding gift card looking at laptop

What to do

If you receive an email like this then do not follow the instructions in the email. Instead, follow these steps:

  1. Do not reply to the sender of the message.
  2. Contact the person whose name appears in the email by using their genuine UBC email address or cellphone to find out if this was a genuine message and, if not, advise them that someone is impersonating them. 
  3. Forward the email as an attachment to security@ubc.ca immediately and notify your colleagues that there is a fraudulent email circulating. 

If you already followed the instructions to purchase a gift card, immediately contact security@ubc.ca for guidance.

 

How do I recognize this type of phishing email? 

Attackers know ways to trick you into falling for a phishing message. They particularly target units or departments with new senior leadership (i.e. a new Dean or Director) and we see an overall uptick at busy times of the year with attacks relevant to the time of year (i.e. school start-up or public holidays) as well as taking advantage of current events (Olympics, soccer championships, COVID-19, etc.).

Phishing messages can come in many different disguises, from sophisticated deception to obvious fraud. Watch out for these common characteristics of gift card phishing emails:

  • Non-UBC Email (“CAUTION: Non-UBC Email” indicator at the top of the body of email)
  • Sense of urgency, time constraints, very brief language, poor grammar, spelling or formatting 
  • Is the email written in the usual style of the person? 
  • Requests to purchase one, or multiple, Gift Cards 
  • Display name doesn’t “match” the email address 
  • Email signature doesn’t seem right 
  • Links that don’t look quite right (e.g. www.u-bc.ca instead of www.ubc.ca)
Remember: “Think before you click the link”. If you have any concerns about a message or link, don't open the message or click the link. Instead, forward it as an attachment to security@ubc.ca.

You can better protect yourself and UBC by following these simple steps: 

  • Have internal processes, such as an expenditure authorization policy in place, for your faculty or department. This policy should establish clear approval levels for any expenditures/payments to safeguard you and UBC.
  • Talk to your team about how they can validate any urgent requests. The most common strategy is that leaders tell their teams that they can call or text their cell phones any time of day or night and the leader will respond – even if they’re in an important meeting and cannot be disturbed (hint: this is a tactic used by the criminals “I’m in an important meeting and can’t be disturbed, please reply by email only” – that’s a big Red Flag)
  • Ensure that your entire team knows and understands these policies and processes.

Go Further...

Privacy Matters @ UBC

Safety & Risk Services | 2389 Health Sciences Mall
University Counsel | 6328 Memorial Road,
UBC Cybersecurity | 6356 Agricultural Road
E-mail privacy.matters@ubc.ca

UBC Crest The official logo of the University of British Columbia. Urgent Message An exclamation mark in a speech bubble. Caret An arrowhead indicating direction. Arrow An arrow indicating direction. Arrow in Circle An arrow indicating direction. Arrow in Circle An arrow indicating direction. Chats Two speech clouds. Facebook The logo for the Facebook social media service. Information The letter 'i' in a circle. Instagram The logo for the Instagram social media service. Linkedin The logo for the LinkedIn social media service. Location Pin A map location pin. Mail An envelope. Menu Three horizontal lines indicating a menu. Minus A minus sign. Telephone An antique telephone. Plus A plus symbol indicating more or the ability to add. Search A magnifying glass. Twitter The logo for the Twitter social media service. Youtube The logo for the YouTube video sharing service. Bell Warning