A persistent email threat is hitting us and other schools, the “gift card” scam. The hook is the email appears to come from a Williams department head, chair, or even the president, but it is really from a scammer using an external account. They have subjects along the lines of “urgent request” or “Hi” with a message like “Are you available? I’m in a meeting and won’t be able to talk on the phone.” The initial message is vague, in an attempt to start a dialog to get the victim’s guard down before specifying the nature of their request.
If they get a response, the attackers then ask the victim to buy several hundred dollars worth of iTunes, Amazon or other gift cards purportedly for a business or departmental function at Williams. This is more elaborate than most phishing attacks which makes it easier to be tricked.
The scam is so pervasive at academic institutions that the Chronicle recently posted about it:
What should you do if you get a suspicious email?
Forward it to [email protected] and OIT staff will check it out. The sooner we know about these scams the sooner we can react to protect others!
You can select “report phishing” from the pull down menu on the right in gmail to help Google identify the scammer and block future similar scams.
How can you spot these types of scams?
Be suspicious of any message that asks you to do something unusual, especially if it involves a financial transaction, a bank account or credit card number, wiring funds, gift cards, W2 forms, etc. There is an industry of phishing professionals working to extract money and cash equivalents from people who are trying to be helpful.
Check the sender’s email address to see if it’s from a legitimate Williams source. [email protected] shouldn’t convince you it’s really Ephraim. Be careful of any messages purporting to come from an employee’s personal email account.
Call the sender on the phone. Con artists want you to act before you have time to think. They create a sense of urgency, and now that we’ve been advising people to call to verify unusual requests, they’ve started pre-empting that by telling you in the email that you shouldn’t call them because they’re in a meeting.
Security steps you can take.
Although this scam doesn’t involve a compromised account there are simple security steps you can take to make sure your own Williams account isn’t used for phishing attacks on your friends and colleagues.
1. Set up 2-step authentication wherever possible. At Williams this is done from https://www.google.com/landing/2step/ . Apple, PayPal and most likely your banking sites also encourage you to set up 2-step authentication.
2. Use a different password for every site. Don’t let a breach at Facebook or LinkedIn compromise your Williams account! You can easily have different passwords by using a password manager like LastPass: http://oit.williams.edu/help-docs/lastpass-password-manager/ or Valt: https://valt.io/