Alerts Newsletter Phishing

Social Engineering and the “Gift-Card Scam”

adapted from original post by Trisha Clay, EDUCAUSE

Social engineering begins with research, whereby an attacker reaches out to a target to gain information and resources. When someone you don’t know contacts you and asks you open-ended questions, this may be the first step of a social-engineering attack. After the attacker reaches out to you, they will then attempt to establish trust with you and get you to provide them with the information or access that they need. Often, the attacker does this by creating a sense of urgency. One common social-engineering scam is the gift-card scam. The attacker poses as an executive. The “executive” will email the victim, ask if the victim is in the office, and begin a brief email exchange with the victim. The executive will tell the victim that they need to purchase one or more gift cards for other employees but that they are unavailable to do so. The executive will ask the victim to buy several gift cards and keep one for themselves. As the victim is worried about pleasing the executive, the victim goes through with the purchase, spending hundreds or thousands of dollars. How do you avoid becoming a victim of these types of attacks? Ask yourself if the request makes sense. Check the email address of the sender. Does the sender’s email address include an extension that you would expect (.edu, for example)? Whenever you receive an “urgent” email communication, the first thing you should do is contact the sender using another mode, such as phone or text message, and confirm that the email is legitimate. If something seems off to you, it probably is.

If you receive an e-mail such as this or any other suspected phishing attempt, please do not click on any links or download any files from the e-mail. Simply forward the e-mail to phishing@wustl.edu and delete the e-mail from your inbox.

If you have additional questions or concerns, please reach out to us at the Office of Information Security at infosec@wustl.edu. We are here to help during this difficult time. We appreciate all that you do to keep our enterprise secure.