Cyber Security Tip: Phishing for Gift Cards

July 3, 2019

Do you use iTunes?  What about Google Play?  So do criminals, and they phish for you to feed their habit. You are at the front line of protecting yourself and the campus community. 

Here's what happens:

In the past few weeks, the campus experienced a rash of phishing attacks.  The most common form is a short message that starts with something like, "quick help needed," "are you in the office?," or "available?" - Anything to attract a response.  The messages often appear to come from vice chancellors, deans, and department chairs. 

These messages are designed to separate you, the victim, from your hard-earned money.  When the victim responds, the criminal engages in a conversation, asking them to buy a gift card or several.  The message promises to reimburse the victim.  The next step asks the victim to scratch off the back of the card, take a photo, and send it to the criminal.  At that point, the value of the card passes to the crook, and you are out the cost of the gift card.

Criminals target these messages at smaller organizations on campus.  Criminals identify the members of the group from public information like the campus directory and websites.  The typical attack involves 25 to 100 recipients.

There is no automated way to detect and block these attacks.  You are at the front line of identifying them.  In all of the recent cases, the return address is not a UCSB.EDU email address. Instead, they come from places where the crooks can create free email accounts that appear real. 

A common sign of phishing includes poor spelling and grammar.  Be suspicious about short messages that attempt to engage you without telling you why.  Always look carefully at return addresses to verify that they are from valid UCSB accounts.  Finally, if something is out of character for the sender, be suspicious.  If the dean doesn't regularly communicate with you, why would you receive a message asking for your help? Investigate before responding.

Cybersecurity awareness training talks about phishing and other ways that you can protect yourself and the campus community. If you haven't taken the training, please do so. University policy requires you to take a refresher course annually. We recently updated the course to include new material presented in an engaging style. 

If you experience phishing, you can file a report with UCSB Information Security at https://www.it.ucsb.edu/report-harassing-or-unwanted-email.