Avoid the “Gift Card” Phishing Scam

There’s a new phishing scheme targeting Ohio State employees. Here’s what to look for:

  • You receive a message that looks like it is from someone you know – maybe a manager, dean or executive.
  • The sender asks you to purchase gift cards on his/her behalf because s/he is in meetings and too busy to complete this task personally.
  • The sender asks you to reply to the message with photos of the gift card numbers.

On these messages, the “from” field may look legitimate, but if you check the email address you’ll find it was not sent from an Ohio State email account. The phisher has created a phony email address in the name of sender to trick you into thinking the message is legitimate. If you replied to that message, you would be sending codes for gift card(s) that you purchased to the cybercriminal, when you believe you are doing your colleague a favor.

Don’t respond to these messages. Use the Report Phish button in Outlook to report these messages, or send them to report-phish@osu.edu.

The easiest way to protect yourself from this type of attack is by getting into the habit of NEVER sending any valuable or privileged information via email. While most people would never send their credit card information to someone in an email, a gift card may seem safer, especially if there is a sense of urgency that prompts you to act quickly without thinking it over. Once you take time to think about it, you can see that once purchased, a gift card is as good as money in a criminal’s pocket.

If you have already responded to such a message, please contact us at security@osu.edu.