Posted by: Heather Shy on June 21, 2019 at 12:00 pm
Are you in the office?
A simple email, only five short words. In my Outlook inbox, it looked like a normal email from my boss. What it was, however, was a common phishing attempt — the gift card scam.
Phishing (pronounced “fishing”) is an email scam where the phisher attempts to “lure” you into giving up personal or financial information by posing as someone else. In this case, they impersonated my boss.
Fake Boss wanted me to go buy Google Play gift cards, 20 of them at $100 each. That’s $2000, folks. I was instructed to scratch off the cards to reveal the activation codes, take photos of the codes, and email them to him. “And keep the hard copies.”
What’s in it for the scammer? They now have gift card codes they can resell online, at no cost to them. Even if they sell them at half price, they make $1000, cost-free, and you or your business is out $2000.
What happened next was hilarious. At least to me.
How the Gift Card Scam Plays Out
To be fair, the first tip-off that this was a scam came from that simple, initial question: “Are you in the office?” For one thing, our office isn’t very big. I knew that the real Tavis was in his office less than 100 feet away from me. Secondly, we had just met less than half an hour beforehand. Tavis had no reason to assume I had left. So why would he ask that?
With this in mind, I glanced at the “From” email: email@example.com. Easy peasy. That is not Tavis’ email address.
Just to make sure, I forwarded the email to Tavis’ real email.
After receiving permission to mess with the scammers, the following conversation ensued:
Me: Sure, what do you need?
Fake Tavis: Heather, I need you to pick up some google play cards for me at any convenience store nearby. Confirm if you can.
Me: Cool. What are you getting?
Fake Tavis: I need you to purchase google play gift card of $100 x 20 = $2,000. Let me know once you have them, Scratch the cards, take photos of the codes and email them to me. And keep the hard copies. Advice on what time you can get this done.
Another clue: the real Tavis has a far better command of English.
Me: Fun! Are these the company bonuses we were promised? Do I get one? 😉
Fake Tavis: No, this is for a client.
Wow, how rude.
Me: Which client? I’ll need that information for coding it properly in accounting.
I don’t do the accounting.
Fake Tavis: A client I am handling personally, go and get the cards, I will give you the information when I am done.
Me: Oh, I think you took the company card this morning. Remember you needed to get gas? Try this website; they can email you the codes directly. Saves us both some time! <link to scammy website that resells Google Play cards.> Just remember to email the receipt to me and LMK the client code for accounting.
Fake Tavis: I have tried buying online but kept getting cancelled. I will prefer you to get the actual physical cards. use your personal card, you will be reimbursed.
Wow, I wonder why he “kept getting cancelled.” Also, use my personal card? Yikes.
Me: Your calendar says you are available today. Can’t you pick these up?
Sadly, that was the end of my fun, as the scammers either realized I was onto them or felt I was just too difficult to work with. (A little of A, a little of B perhaps?)
How to Tell You’re Dealing With a Scam
Generally, it’s probably not a great idea to engage with scammers like this. I’m not sure if knowing my email is valid will lead to more attempts. Or, as I’m hoping, realizing that I’m onto them (and difficult!) will keep my email off their target lists.
My hope, however, is that this experiment helps someone else to know when they’re being targeted. In summary, here are clues to look for with this kind of request:
- The “from” email is not the supposed sender’s actual email address.
- The requestor is asking for information they should already have. (For example, the real Tavis knew I was in the office and would not have asked.)
- The request seems out of character.
- A separate email or phone call to the supposed sender confirms the request is fake.
- The communication style is out of character.
Emails like this can safely be ignored and deleted, with one warning: Don’t click on any links or attachments. Tavis’ email wasn’t hacked or even spoofed; the scammers barely made any attempt to pretend they were him other than using his name.
Still, there are several steps that businesses can take to defeat these attempts. A good email spam filter, employee training and clear company policies about release of personal or financial information will go a long way toward preventing falling prey to the gift card scam.