Gift Card Scams – “Are you available?”

An increasingly common social engineering attack is targeting Sciences faculty and staff.

The setup

  • The attackers use org charts, web pages, online directories, LinkedIn, and other sources of information to determine reporting relationships.
  • They usually target faculty or staff who report to someone in the College’s leadership team, such as the Dean, a department head, etc.
  • They create an email address that looks like it might plausibly be the personal email address of a leader or manager (e.g., ChrisMcGahan@gmail.com) or that at a glance looks like an NC State email address (e.g., mcmgaha.ncsu.edu@gmail.com)

The attack

  • “Are you available?”
    They send an email to that person’s administrative assistant or other subordinate, asking if they are available
  • “I need a favor”
    When the victim responds, the attacker engages in a dialog with them in which they tell them they need an urgent favor because they are tied up in a meeting or event, or have some other crisis.
  • “I urgently need gift cards”
    It’s often framed as a personal favor (gift card for a family member) but may be something work related (gift card for event, contest, or compensation to research subjects)
  • “You can’t reach me right now”
    Attackers will provide excuses such as being unable to use their cell phones or step out of an important meeting.
  • “Buy me gift cards”
    Ultimately, the attacker tries to get the victim to purchase gift cards, with the promise that they’ll be paid back.
  • “Give me the PIN”
    If the victim purchases t.he gift cards, the attacker gets the victim to read them the activation codes and PIN numbers from the cards

The outcome

The victims lose their money. There is no recourse once a gift card has been used.

What to do

If you have been the victim of this scam, don’t feel bad – it happens to a lot of very intelligent people. The attack preys on our natural tendency to be helpful and to be deferential to someone in power. It’s human.

As soon as you realize it, contact Campus Police at 5-3333 and make a report. You should also notify your supervisor. You should file a complaint with the FBI’s Internet Crime Center. (You can do this online.)

If you used a PCard to make an illegitimate purchase , you should immediately contact your supervisor and your business officer for guidance.

How to protect yourself and your coworkers

  • Talk to your supervisor and your employees ahead of time. You should all agree on whether you will ask each other to purchase gift cards or other items, and discuss how to verify that kind of request.
  • Have an office policy on asking personal favors that involve a subordinate spending their own money¬† (recommendation: don’t allow that).
  • Repeat this discussion when you get new employees (or a new supervisor).
  • Be suspicious of any email that does not clearly come from an @ncsu.edu address. Look carefully at the email address.
  • If anyone asks you to buy a gift card for them for any reason, think twice.