Gift card scam is a highly personalized kind of scam that exploits publicly available information on the target’s social workplace relations. Scammers contact their targets from an external e-mail address (e.g. hosted by Google or Yahoo) with an urgent and legitimate-sounding request in the target’s supervisor’s / a coworker’s name. Pretending an emergency situation, they ask their target to purchase gift cards on their supervisor’s/coworker’s behalf and send back the redemption codes.

More information can be found on this website: https://www.mcgill.ca/it/channels/news/gift-card-scam

Why can such email addresses not be blocked automatically or manually?

Blocking individual addresses would only lead to the scammers resorting to other addresses, as these can be created quickly. As with spear phishing, these are also content-adapted, individually sent e-mails that cannot be automatically recognised and filtered out by security systems.

What can I do?

• Just as with phishing attempts: Look carefully! Who is writing to you? What e-mail address was the message sent from? Do I know this address?
• Ask! The best thing to do is to contact the person from whom the e-mail is supposed to come by other means. You can safely ask via an official e-mail address (not as a reply to the suspicious e-mail!) or by telephone. A quick call can often prevent further harm.
• Remember: What is the usual procedure for procurement requests? At the University of Cologne, gift cards are rarely bought “on the fly.”
• The most important advice: If in doubt, always rather contact the RRZK help desk or check back with the alleged sender one more time via a safe mathod. Better safe than sorry.
• If you find that an e-mail is a scam: Delete the e-mail and do not reply to it under any circumstances!