Division of Information Technology

Cyber Threat Alert: Gift Card Scam

By DoIT Communications

Date Released: 1/30/2019

 

Gift Card Scam

 

Hello All:

 

Over the past few weeks, we have observed an uptick in scam emails being sent to our community members, and others around the country. It’s important that we all stay diligent, and recognize these scams when we are on the receiving end.

 

Motivation of Attacker: Financial

Method of Communication: Email

Method of Deceit: The sender uses a third-party email service, like gmail.com or outlook.com, to create a look-a-like address, such as “Matthew.Nappi@outlook.com” or “Matthew.Nappi.Stonybrook@gmail.com” and then initiates a conversation with a seemingly innocent opening email such as, “Are you available?”

End Goal: Initiate a financial transaction, such as buying iTunes gift cards or payment of a fraudulent invoice.

Variations: We’ve also seen emails come through that look like they are from a stonybrook.edu or stonybrookmedicine.edu email address. So, it’s important to verify an email is legitimate via a second form of communication, like a phone call, anytime someone is trying to initiate a financial transaction or ask for information. In some cases, the bad guys are after information which can help them carry out a future attack, such as the name/email address of a particular department head.

 

What can you do about it if you receive one of these emails?

  1. Do not respond or continue a conversation in progress.

  2. Forward the email to phishbowl@stonybrook.edu.

  3. Flag the message as phishing. The method for doing so varies slightly depending upon what email system you are on. If using Google, it’s as easy as pressing the three dots next to the reply button and choosing “Report Phishing.” If using Outlook, follow the steps below:

 

If you fall victim to one of these scams, do not panic. Instead, immediately call the financial institution you used to issue payment and report it as fraud. Be sure to also contact the University Police Department. If sensitive data was shared with the attacker, be sure to report it to our team as well by opening a ticket.

 

Thank you for your diligence and attention to this matter.