Phishing/Scam Alert: Gift Card Email Scams Targeting UIC Faculty, Staff and Students

Dear Faculty, Staff and Students,

The ACCC Information Security and Privacy Office has been receiving many reports of directed email scams targeting UIC faculty, staff, and students in an attempt to get the recipient to purchase gift cards and to email the gift card numbers to the attacker.

If you receive such a message, DO NOT RESPOND.

Attacks Directed at Faculty and Staff
In these attacks, UIC faculty and staff are sent email pretending to be from university leaders, typically deans, directors, or department heads. The emails arrive from random email addresses that are sometimes crafted to trick the recipient at first glance but are not really from a UIC.EDU address. For example, the email may arrive from “bobgreen.uic.edu@gmail.com” or “bobgreen@xyz.com” but not from “bobgreen@uic.edu.” The name of the person sending the email is changed to the name of the university leader (e.g. “Bob Green”). Sometimes the sender is hoping that the recipient will not notice that the email is not from UIC but in other cases it has purported to be from the leader’s personal email account.

The end goal of the emails appears to be to convince unsuspecting staff to purchase gift cards on the “leader’s behalf” and email the codes to them with the promise of later reimbursement.

The email attacks that we have been seeing sometimes begin with an email such as “Are you available?” and if someone responds, the attacker posing as the leader explains that they are caught in a meeting, can’t take calls and need the recipient to buy gift cards for them and will reimburse them later.

Some of these attackers will request a personal cell phone number to continue the conversation outside of email, so take extreme care when providing personal information in response to an email.

Again, if you receive such a message, do not respond. If you are in doubt, contact the person who is supposedly sending the email by campus phone before taking any action as directed.

Attacks Directed at Students
The most common attack we are seeing targeting students is an offer of an employment scam. Typically the scams tempt the recipients with the promise of easy money (e.g. $300/week for 2-3 hours of “work”). Upon reply to these scams with personal information, the students typically receive a check in the U.S. mail and are told to deposit it. They are then asked to purchase gift cards and to send the card information to the scammer. Students that fall for this later find that

the check they deposited is rejected/bounced by their bank. The end result is a loss of all of the money for the gift cards (as their value is immediately drained) and most likely a bank fee for the bounced check.

Due to the use of random senders and the commonplace text in the emails of these attacks, ACCC is often unable to prevent them without blocking legitimate email.

If you received emails of this form and purchased gift cards, please contact the UIC Police for assistance. For information on how to contact the UIC Police, please visit police.uic.edu.

For more information, please contact Edward Zawacki at security@uic.edu

Sincerely,

Cynthia Herrera Lindstrom
Assistant Vice Chancellor and CIO, HIPAA Privacy and Security Officer