This piece was originally written by Nav Bassi on February 20, 2020, for the now-defunct UVic CISO Blog. Reposting here as much of the content remains relevant and is referenced by many of our posts on Phish Bowl.
The email warning banner service described below has since been superseded by newer security features. Nowadays, we recommend you keep an eye out for any warning banners that say that you don’t normally get emails from the sender–if you see that banner on an email claiming to be from someone within UVic, that’s a strong sign of an impersonation scam.
In late December 2019, we received a number of Gift Card Scam emails. These follow the usual pattern of impersonating someone in authority to compel someone else to purchase gift cards on their behalf and send them the codes electronically. Unfortunately, it is a common fraud and some of our colleagues have been victimized by these criminals.
The best defense to detect someone from outside of the organization impersonating someone from inside is to opt-in to our Email Warning Banner Service; this provides banner warning messages at the top of All External Emails and/or External Spoofed Email (email that claims to be from UVic based on the From: address, but the actual path the email took doesn’t match).
It’s also a good idea to verify requests that involve money, especially spending or transferring, by calling the supposed requester.
The Manager of our Information Security Office received one of these during the Winter Closure and decided to reply. It all began with a single email impersonating our President:
How are you ? Where are you? i need a little assistance from you
President
Jamie Cassels
University of Victoria
Greater Victoria
British Columbia, Canada
Sent from my Device
There are some obvious clues! For example, it is an odd email to receive. It doesn’t address the recipient by name, and the wording doesn’t reflect our articulate President. The signature is also odd, “Greater Victoria” looks like it was picked based on some Googling and not by anyone actually from the city. If you receive a message like this, your best options are to:
- Delete it (or click the
Report Phishing button)
- Call the President’s office to verify the legitimacy of the message. Since it doesn’t contain any links or attachments, you could also inquire about it’s legitimacy with the Computer Help Desk.
Don’t do this, but our Manager decided to reply:
Hi Jamie.
I am doing super awesome! How are you?
I’d be glad to be of assistance. What can I do for you?
Eric
And got a quick response back:
I’m sorry for bothering you, I really do need your assistance with purchasing (Google Play gift cards) for my friend who is a cancer patient. I promised her a Google Play card as a birthday gift but I can’t do this right now. i tried purchasing it online but unfortunately all effort to no avail.
Wondering if you could get it from any store around you ? I’ll pay back asap. Kindly let me know if you can handle this.
President
Jamie Cassels
University of Victoria
Greater Victoria
British Columbia, Canada
Sent from my Device
Again, don’t do this, but our Manager continued the exchange:
She must be a really special friend for you to splurge on Google play gift cards. But maybe she’d like to be taken out for dinner or given an InstaPot – I hear they’re all the rage right now.
What store should I go to?
The instructions that came back are quick helpful and specific; clearly some more Googling has been done to see where gift cards can be purchased. It’s a common tactic; this person has done it before, and is probably corresponding with a number of other people at the same time. Note the instructions regarding sending a photo of the cards – this is the key: they need this information to redeem the value on the cards. This is how the theft occurs!
I’m checking…from what I can find out they are readily available at the following stores Walmart, Shoppers drug mart & Canadian tire value on google play gift card ($100 denomination) × 5 pcs= 500 CAD
As soon as you pick up cards, CAREFULLY Scratch the back of all 5 cards revealing pin on each card, then take a snap shot of the back of each card showing it’s pin and have photos attached and email me, so i can have it forwarded to her e-mail address. Keep me posted,
I owe you
President
Jamie Cassels
University of Victoria
Greater Victoria
British Columbia, Canada
Sent from my Device
Now our Manager is just having a little fun at the criminal’s expense:
I’m not sure where those stores are, but I’ll look them up. When do you need the cards by?
Why do you need pictures of the cards? I can just run them over to your office in person.
Aren’t you in your office?
Clearly the criminal does not want our Manager to take the gift cards to the actual President’s office…
You could just email me with the photos of card. soon as you pick them up.
i left office, would be back by tomorrow…how soon can you pick it up
President
Jamie Cassels
University of Victoria
Greater Victoria
British Columbia, Canada
Sent from my Device
How long will the criminal keep up the exchange? Our Manager responds:
I will head out to the store shortly and will email them to you when I get them.
The criminal responds:
keep me posted.
Our Manager is playing along:
Ok, I have a bunch of cards! I’m on my way back to the office. I’ll send you pictures when I get there.
Oops, looks like the criminal is getting impatient:
Still waiting
President
Jamie Cassels
University of Victoria
Greater Victoria
British Columbia, Canada
Sent from my Device
Our Manager provides a classic Canadian response:
Ok, sorry.
The last message of the exchange:
Hello
Could you please send me the photo attachment of the gift cards?
Thanks
President
Jamie Cassels
University of Victoria
Greater Victoria
British Columbia, Canada
Sent from my Device
Takeaways: Gift Card Scams and other forms of Business Email Compromise rely on trying to trick the recipient into believing the criminal is a trusted individual within the organization authorized to make whatever request is being made. The best way to defend yourself is to:
- Opt-in to our Email Warning Banner Service to give you a visual cue that the message is from outside the organization and/or it is misrepresenting itself from inside when it’s really outside***
- Pick up the phone and verify any and all requests that involve spending money or transferring funds.
***There are some legitimate situations where a message could be from outside the organization but represent itself as inside. For example, if you are using an external third-party mailing list service to email a newsletter, the email will come from the service outside of UVic but may have a UVic email address appear in the From: field to represent it as from a UVic sender. This is why we generate a banner to inform and empower the recipient instead of just blocking these messages.
Final thought: One of the reasons scams like this work is because they mimic our own practices. If we regularly ask our colleagues to purchase gifts cards via email, and also ask for photos of the redemption codes via email, then it is harder to detect this type of scam as unusual behavior. We should alter our practices to include, for example, telephone verification, so that it’s more difficult for someone to mimic our own practices. It is worth thinking about some of our activities that involve funds, and could therefore be a target for criminals, to see whether they are susceptible to fraud and how we can reduce this risk. Remember the old security saying: Trust, but verify.
