Penn Office of Information Security (OIS) is noticing a rise in gift card phishing scams on campus. The scammer sends an email or text message to Penn staff pretending to be high-ranking administration personnel, e.g., School Dean, Executive Director, Provost or the President. The message indicates the sender is occupied and in need of immediate assistance in purchasing gift cards from a specific store or brand for a specific amount. The message also requests that the recipient send back the gift card codes to the sender either by taking a picture of the codes and send the image back as an email attachment or send back the list of codes in an email.
Impact
This type of social engineering scam has an impact on the recipient and the University.
- The recipient’s financial loss when personal funds are used to purchase the gift cards.
- Penn financial loss when PCARD is used to purchase the gift cards.
To protect yourself from falling victim to gift card scams:
1. Pay attention to the sender’s email address. Usually, Penn employees use their work email address when conducting business at Penn. Assess whether the domain is legitimate, e.g., jsmith@upenn.edu. The domain is “upenn.edu.”
2. This is not how Penn does business. Penn personnel will NOT ask for assistance in purchasing gift cards for personal purposes.
3. In some cases, scammers spoof a Penn legitimate sender email address, e.g., jsmith@upenn.edu. Often, those scammers change the email address in the reply to field to something like jsmith@msn.com. To verify, hit reply and the To field may change to the non-Penn email address. Make sure not to press send.
4. Verify the message or text with your manager or your IT support provider (LSP) before you respond.
5. If you have fallen victim to this type of scams:
a. Report the incident to your local police
b. Report the incident to your LSP
c. If you don’t know who your LSP is, report the incident to the Office of Information Security at security@isc.upenn.edu
d. Report the scam to the company that issued the gift card. There could be a slim chance they can recover funds for you.
Contact your department’s LSP if you suspect an email account or computer compromise, or when receiving an email requesting you to purchase gift cards for a manager at Penn.
If you are unsure who your LSP is, report scams including phishing to the Office of Information Security at security@isc.upenn.edu, or 215-898-2171
To learn more about this scam and more visit:
- Mention of gift card scams in the Almanac One Step Ahead in Observance of NCSAM, Vol 65 Issue 10, https://almanac.upenn.edu/articles/one-step-ahead-in-observance-of-ncsam.
- Phishing & Spear Phishing https://www.isc.upenn.edu/phishing-spear-phishing.
- Phishing Scheme Targets Professors’ Desire to Please Their Deans https://www.chronicle.com/article/Phishing-Scheme-Targets/245535.
- Federal Trade Commission Consumer Information - Paying Scammers with Gift Cards https://www.consumer.ftc.gov/articles/paying-scammers-gift-cards