Gift Card Scams
In recent years, there has been an increase in the number of directly gift card scam emails received by our users. Numerous employees and students have been scammed out of personal and university funds by these emails. Almost all of these emails have several factors in common.
Common Factors in Gift Card Scam Emails
A significant portion of the gift card scam emails received by OSU contain these common factors:
- The emails appear to be sent from a supervisor or other person in authority. Common examples include: supervisors, managers, directors, department heads, deans, and vice presidents. This person’s name is usually displayed as the sender.
- While the sender appears to be from an OSU employee, the email address will be from a non-OSU email address. For example, the email address may be similar to “email@example.com”. The “@gmail.com” email domain indicates this is not an OSU email address.
- The email subject is usually very short and asks if the recipient is available. For example, the subject line “Available?” is commonly seen.
- The email message is also usually very short and asks if the recipient is available for a quick task. Several of these messages are written in all lower case and also appear like they were written in a hurry.
The Scam in Action
Recipients who respond to the initial email, and indicate they are available, usually receive a response from the same email address. The response will indicate the sender is in a meeting, but they need a urgent task taken care of quickly. If the recipient responds and indicates they can help with the tasks, the sender usually responds and ask for the recipient to purchase gift cards from an off-campus store as soon as possible with a promise to be paid back. Common examples of gift cards requested include: Apple iTunes gift cards, Amazon gift cards, and Steam gift cards.
If the original recipient agrees to purchase the gift cards, they are usually directed to reveal the redemption code on the back of the card and take a picture of the code. They are asked to send this picture to the original sender, who will resell the code to another party. After they have the codes, the original sender may continue to ask for more codes or abruptly stop contact.
- Since the emails almost always originate from external email sources, the external email warning banner should be displayed. This banner is automatically inserted on emails sent from non-university email addresses. If the sender appears to be a university employee, this could be a clue it did not actually come from their email address. Users should check to see who is listed as the sender of any emails containing the external email sender banner.
- If you want to verify a suspicious email, try to call the person who appeared to be the sender. If they indicate they did not send the email, it is likely a gift card scam and you should not respond.
If you have fallen victim to a scam email and purchased the requested gift cards, you may want to contact your local police department to file a report. If the gift cards were purchased with a credit or debit card, you may want to contact the associated financial institution regarding the purchases.
Report suspicious or unsolicited emails in Office 365 (web interface or desktop application). Microsoft uses this information to stop other emails and block links in existing emails.
If you are reporting the email in Outlook on the web, click the ‘Report’ button and click ‘Report Phishing’.
If you are reporting the email in the Outlook desktop application, make sure you have the Report Message add-in applied to your account. Select the email you would like to report, click Report Message, and select the category you would like to report the message as.
To apply the Report Message add-in, click the ‘Get Add-ins’ button on the tool bar, then search for Report Message, click Add and Continue. After the process of applying the add-in is complete, the Report Message button should appear on the right-hand side of the ribbon.
Report the email to the IT Helpdesk by composing a new email message addressed to firstname.lastname@example.org and dragging the suspicious or unsolicited email to the new email message; this method will allow the suspicious email to be added as an attachment in the new mail item. You may also forward the suspicious email to email@example.com