Gift Card Scams – “Sorry to bother you”
An increasingly common social engineering attack is targeting Sciences faculty and staff.
The setup
- The attackers use organizational charts, web pages, online directories, LinkedIn, and other sources of information to determine reporting relationships.
- They create an email address that looks like it might plausibly be the personal email address of a leader or manager (e.g., ChrisMcGahan@gmail.com) or that at a glance looks like an NC State email address (e.g., mcmgaha.ncsu.edu@gmail.com)
Targets
- Faculty or other professionals who report to someone in leadership, such as the Dean, a department head, director, or manager .
The attack
- “Are you available?” or “Sorry to bother you”
The attacker sends an email masquerading as the leader or manager using the fake email address they created, asking a subordinate if they are available. They may also start with a request, often starting with “sorry to bother you” - “I need a favor”
When the victim responds, the attacker engages in a dialog with them in which the attacker tells them they need an urgent favor. They claim they need help because they are tied up in a meeting or event, or have some other crisis. - “I urgently need gift cards”
It’s often framed as a personal favor (gift card for a family member) but may be something work related (gift card for event, contest, or compensation to research subjects) - “You can’t reach me right now”
Attackers will provide excuses such as being unable to use their cell phones or step out of an important meeting. They want to prevent the victim from attempting face-to-face contact or initiating phone contact with the real person. - “Buy me gift cards”
Ultimately, the attacker tries to get the victim to purchase gift cards, with the promise that they’ll be paid back. - “Give me the PIN”
If the victim purchases the gift cards, the attacker gets the victim to read them the activation codes and PIN numbers from the cards
The outcome
The victims lose their money. There is no recourse once a gift card has been used.
What to do
If you have been the victim of this scam, don’t feel bad – it happens to a lot of very intelligent people. The attack preys on our natural tendency to be helpful and to be deferential to someone in power. It’s human.
As soon as you realize it, contact Campus Police at 5-3000 and make a report. You should also notify your supervisor. You should file a complaint with the FBI’s Internet Crime Center. (You can do this online.)
If you used a PCard to make an illegitimate purchase, you should immediately contact your supervisor and your business officer for guidance.
How to protect yourself and your coworkers
Confirm
- Always look carefully at the sender’s email address.
- Be suspicious of any email that does not clearly come from an username@ncsu.edu address.
- If anyone asks you to buy gift cards or VISA cards by email, chat, or phone, be suspicious.
- Confirm the request either in person, or by calling them yourself (you initiate the call to a known number)
- Attackers will have all kinds of excuses about why you can’t call them or see them, don’t fall for it
- Email is not sufficient to confirm, because the person’s email account may be compromised
- If you can’t confirm, don’t make the purchase.
- Stop responding to the potential attacker
- Send email to your supervisor’s @ncsu.edu address to let them know
Plan
- Talk to your supervisor and your employees ahead of time. You should all agree on:
- Whether you will ask each other to purchase gift cards or other items
- How to verify that kind of request.
- Consider having an office policy on asking favors that involve employees spending their own money for the personal benefit of their supervisor
- Recommendation: Don’t allow that
- It may result in an inconvenience, but it protects the employee from a potentially significant personal financial loss
- Recommendation: Don’t allow that
- Repeat this discussion when you get new employees (or a new supervisor).
Learn
- Discuss scams with your coworkers and students
- Read! Search for scams that target universities and students. There are a lot!
- Attend presentations on scams. Look for an upcoming talk with the State Employee’s Credit Union on March 27, 2020.