Medical Center target of gift card fraud emailsJul. 11, 2019, 9:13 AM
You may have recently received, or may soon receive, a phishing email claiming to be from a Vanderbilt University Medical Center colleague or leader asking you to purchase gift cards (iTunes, prepaid credit cards, Amazon, etc).
These emails often use a technique called “display name spoofing,” making the email look like it is from a sender you know. The technique is the latest type of phishing and internet fraud.
According to the Chronicle of Higher Education, more than a dozen academic institutions have already been targets for this phishing scam where the scammers have posed as co-workers, professors, department chairs and deans. The scammers get these names from public listings on websites.
The scammer’s emails often use language saying they need help on “something very important right away,” hoping the recipient will quickly respond with an offer to assist.
Gift card fraud schemes typically follow this pattern:
- An email message will be sent with a display name matching a colleague or a member of the organization’s leadership team. The sender’s email address is not the person’s organizational email account but may be crafted to look legitimate.
- For example, an email might look like “firstname.lastname@example.org,” using an external account instead of “email@example.com.” The email will ask for an urgent favor stating that the sender is “in a meeting” or “at the airport” and therefore unreachable, but needs the favor immediately.
- The sender will ask for the recipient to quickly purchase gift cards, either online or at a store, and send the gift card information and activation codes as soon as possible.
Do not purchase gift cards for institutional purposes if you are asked to do so by email.
Instead, if you receive a message like this supposedly from a colleague or executive leader asking for an “urgent favor,” or if the message seems suspicious or asks for an atypical action (transferring funds, purchasing gift cards), it should be reported to firstname.lastname@example.org.