Gift Card Spear Phishing Scams

What is "spear phishing"?

Spear phishing is a form of phishing that targets people with close access to authority figures (eg, direct reports, secretaries). The scammer collects personal info about their targets from publicly-available materials including websites, social media, and past data breaches. The scammer then uses this info against targets to fool others into allowing additional access to protected information or resources (usually financial)

What is gift card spear phishing?

Gift card spear phishing is a specific scam in which a criminal --  knowing that organizations often purchase gift cards as rewards -- impersonates a high level individual such as a CEO, demanding a subordinate quickly purchase gift cards on his/her behalf.

The urgency of the email, combined with the authority figure making the demand, puts social pressure on the subordinate to obey the request. After gift cards are purchased, typically the scammer will request the serial numbers of each card, in order to spend the balances online.

How to spot gift card spear phishing

Typically, the scammer sends you an email posing as a boss/colleague, attempting to grab your attention. This is the "hook":

(In this example, the email address is clearly phony: ________.xavier@gmail.com)

If you reply, the scammer then tries to gain your trust... and gives an excuse to keep the conversation restricted to email only:

After obtaining your willingness to help, the scammer makes the bogus request:

Presuming you purchase the gift cards, the scammer will follow up and ask you to include that info in your reply (remember, this person is conveniently "still busy" and can't bother take any calls or pick up the cards from you in person).

How do I prevent gift card spear phishing?

While you can't prevent spear phishers from targeting you, you can prevent yourself from becoming their victim.

Common-sense practices can easily defeat these scammers:

  • Be suspicious of any messages that have an air of urgency to them. Never let anyone persuade you to make a decision immediately. There is always enough time to verify a claim using reliable sources.
  • Check the email From: address -- it is probably phony. Even if it is correct, you still shouldn't let your guard down. The sender's account could be compromised by the scammer!
  • Contact the alleged sender, if possible. Be sure you are using a known good number from a reputable directory or your own personal address book.
  • If you are pressured to share personal info, account information or finances, immediately cease contact with the sender and forward the email to abuse@xavier.edu instead.
If you are a supervisor, share this article with your staff. Reassure them that it is always okay to "say no to the boss" in these situations, rather than put the university at risk.
Print Article

Related Articles (3)

As of March 10, 2020, emails from external senders will include a cautionary banner
Phishing emails can be reported within your email client with just one click!