Search Information Security site

 

Main menu

Full Gift Card Scam Email

Date: 
Tuesday, March 24, 2020 - 15:30

Gift card scam emails usually begin with a very brief email that appears to come from somebody you think is important, such as an associate dean, department chair, or your supervisor. 
It asks if you can do them a favor  or give "urgent help".   

If you think the email is a scam - DO NOT RESPOND - forward it to [email protected] for verification.
NO ONE AT UVA SHOULD ASK YOU TO BUY GIFT CARDS IN AN EMAIL MESSAGE.

What follows is an actual gift card scam email sequence to help you spot when you might be the target! 

The initial email:

Date: Friday, March 20, 2020 at 9:38 AM
From: “Your Supervisor” <[email protected]>
To:  “Typical User, (mst3k)” <mst3k[at]virginia.edu>
Subject:  Urgent!

Available?

<Actual Supervisor’s Signature>
----------------

To which the employee then replies:

Date: Friday, March 20, 2020 at 10:32 AM
From:  “Typical User, (mst3k)” <mst3k[at]virginia.edu>
To: “Your Supervisor” <[email protected]>
Subject:  Re: Urgent!

Yes, I'm available to talk.

<Typical User’s Signature>
-----------------

To which the scammer then replies:

Note: Clues that the email might be a phishing / scam email are in bold italics:

Date: Fri, Mar 20, 2020 at 10:35 AM
From: “Your Supervisor” <[email protected]>
To:  “Typical User, (mst3k)” <mst3k[at]virginia.edu>
Subject: Re: Re: Urgent!

I’m in a conference right now, can’t talk on phone.I want you to complete a task for me urgently, Let me know if you’ll be able to get it done ASAP.

Thanks!

<Actual Supervisor’s  Signature>
-----------------

To which the employee replies to the scammer's email:

Date: Friday, March 6, 2020  at 10:46 AM
From:  “Typical User, (mst3k)” <mst3k[at]virginia.edu>
To: “Your Supervisor” <[email protected]>
Subject: Re: Re[2]: Urgent!

Okay. I can certainly try depending on the nature of the request. I've got a short window this morning before my first (doc) appt. What would you like for me to assist you with?

<Typical User’s Signature>
-----------------

The scammer replies with their request.

Note the sense of urgency and the unnatural sentence construction.
Date: On Fri, Mar 6, 2020 at 10:52 AM
From: “Your Supervisor” <[email protected]>
To:  “Typical User, (mst3k)” <mst3k[at]virginia.edu>
Subject: Re: Re: Urgent!

Here is what you need to do for me quick, I need iTunes gift cards, can you get some at the store right now? I will reimburse you as soon as I’m out of the meeting with any inconveniences.Let me know to advise on denominations to purchase.

Thanks!

<Actual Supervisor’s  Signature>
-----------------

Wanting to be helpful, the employee replies to the scammer.  

Friday, March 20, 2020  at 10:57  AM
From:  “Typical User, (mst3k)” <mst3k[at]virginia.edu>
To: “Your Supervisor” <[email protected]>
Subject: Re: Re: Urgent!

Okay, sure. I can run to the grocery store and pick them up before my appt.. I have a meeting on Grounds in my office at 3:00. I can bring them to you right before that meeting. Would that work for you? How many do you need and in what denominations?

<Typical User’s Signature>
-----------------

The scammer replies.

CLUE: Their reply ignores your suggestion to meet them (sometimes they will say they are to busy to meet you). 

Date:  Fri, Mar 20, 2020 at 10:59 AM
From: “Your Supervisor” <[email protected]>
To:  “Typical User, (mst3k)” <mst3k[at]virginia.edu>
Subject: Re: Re: Urgent!

All I need you to get is five (5) cards for $100:00 each worth of iTunes gift cards. Scratch-off the bar code and Attach me a clear pictures of the cards showing the codes to me here and keep the hard copies safe with you for me.Hope this is clear ?

<Actual Supervisor’s  Signature>
-----------------

The employee replies to the scammer.  

Date: Fri, Mar 20, 2020 at 11:02 AM  
From:  “Typical User, (mst3k)” <mst3k[at]virginia.edu>
To: “Your Supervisor” <[email protected]>
Subject: Re: Re: Urgent!

Okay. I'll go grab them from wegmans now . I'll send pics of the back of each card with the barcode showing.

<Typical User’s Signature>
-----------------

The employee sends the scammer the pictures of the gift cards they purchased with their own money.  

Date Fri, Mar 20, 2020 at 11:30 AM
From:  “Typical User, (mst3k)” <mst3k[at]virginia.edu>
To: “Your Supervisor” <[email protected]>
Subject: Cards attached

[cid:170b0bbeaac724a86834]
[cid:170b0bbeaabe0472823] 
[cid:170b0bbeaaca9be5e815]
[cid:170b0bbeaab45784a802]
[cid:170b0bbeaab2194e9881]

(The file names above are the five pictures of the gift cards the employee sent to the scammer.)

<Typical User’s Signature>
-----------------

The scammer thinks the employee didn’t do it right.  

Date: Fri, Mar 20, 2020 at 11:35 AM 
From: “Your Supervisor” <[email protected]>
To: “Typical User, (mst3k)” <mst3k[at]virginia.edu>
Subject: Re: Re: Urgent!

Scratch the bar code and send it here

<Actual Supervisor’s Signature>
-----------------

So, the employee replies to the scammer explaining why they did follow the scammer's directions.  

Date: Friday, March 20, 2020 at 11:37 AM
From: “Typical User, (mst3k)” <mst3k[at]virginia.edu>
To: “Your Supervisor” <[email protected]>
Subject: Re: Re: Urgent!

There is no scratchable barcode. The code at the bottom is the code. The person in the checkout line said this. And I don’t see anything on the card to scratch off

<Typical User’s Signature>
-----------------

The scammer, trying to help the employee, sends an example of what they wanted.

CLUE: If this person was really in a meeting and really busy, how/where did they have example pictures of  gift cards with the bar code scratched off?
And note the “interesting” grammar and sentence construction.  

Friday, March 20, 2020 at 11:38 AM
From: “Your Supervisor” <[email protected]>
To: “Typical User, (mst3k)” <mst3k[at]virginia.edu>
Subject: Re[3]: Re[2]: Urgent!

This am example

[Scammer includes a picture of a gift card with the barcode scratched off.]

<Actual Supervisor’s  Signature>
-----------------

The scammer really wants the employee to do it the way they're expecting.  

Date:  Fri, Mar 20, 2020 at 11:40 AM
From: “Your Supervisor” <[email protected]>
To: “Typical User, (mst3k)” <mst3k[at]virginia.edu>
Subject: Re[3]: Re[2]: Cards attached

Scratch the card the way it scratch in the picture I sent to you

<Actual Supervisor’s Signature>
-----------------

The employee starts a NEW message to their supervisor.

The new email automatically retrieves the supervisor’s actual UVA email address (not the fake one the scammer is using). 
The employee sends the pictures of the cards again and their real supervisor asks what's this all about, as they did not ask for gift cards.

From: “Typical User, (mst3k)” <mst3k[at]virginia.edu>
Date: March 20, 2020 at 11:51:59 AM
To:  <<Used the actual UVA email address of the supervisor >>
Subject: Cards with barcodes showing

Sending one more time, just in case

---------- Forwarded message ---------

Date Fri, Mar 20, 2020 at 11:30 AM
From:  “Typical User, (mst3k)” <mst3k[at]virginia.edu>
To: “Your Supervisor” <[email protected]>
Subject: Cards attached

[cid:170b0bbeaac724a86834]
[cid:170b0bbeaabe0472823] 
[cid:170b0bbeaaca9be5e815]
[cid:170b0bbeaab45784a802]
[cid:170b0bbeaab2194e9881]

(The file names above are the five pictures of the gift cards the employee sent to the scammer.)

<Typical User’s Signature>
-----------------

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form