Technically Speaking
Technically Speaking

Have you ever had a text exchange like this?

Graphic of cell phone

Of course, you won’t be reimbursed for that $500, because this isn’t your co-worker or supervisor. It’s a scammer trying to trick you into thinking you’re giving those gift cards to someone you know. 

Gift card scams, and phishing attacks in general, aren’t new, but malicious actors have been employing them more frequently and more cunningly over the years. Lately, they seem to prefer sending these attacks via text message; the Federal Communications Commission reported this year that the number of reported phishing texts has almost tripled since 2019. Likewise, the gift-card scam has been seen more often: According to a report from the Anti-Phishing Working Group, gift-card fraud was the most common scheme in the second quarter of 2022.

Metropolitan State University of Denver has seen plenty of these malicious messages before, usually through email. Here are some things you can look for if you receive a suspicious email: 

  • Look at the email address. It isn’t enough to see a familiar name in the “from” field. Look closely at the email address the message was sent from (if you can’t see the address, try hovering your mouse pointer over the name). If the message is a fake, instead of seeing “[email protected],” for example, you might instead see “[email protected].” If the attack is targeted, you might even see “[email protected].” If the email address isn’t one you recognize, you’re likely being lured into a scam. 
  • Check the reply-to address. Email addresses can sometimes be spoofed to appear as though they are coming from a different account. However, you may be able to see the real address if you start writing a reply. If you don’t recognize the address that appears when you click “reply,” you’re likely being lured into a scam. Make sure you don’t send that reply. 
  • Watch for the “[EXTERNAL]” flag in the subject line and a warning note at the top of the message. Every email you receive in your MSU Denver email account that originates from an email address outside MSU Denver includes an “[EXTERNAL]” flag in the subject line and the following warning in the body of the message advising you to use caution: 
External Email Flag

But what about text messages? Fraudulent emails can be a lot easier to spot than fraudulent texts since they contain a lot more information about the sender. Indeed, one technique scammers like to use is to suggest switching to text messaging for the remainder of the conversation, specifically because it’s easier for them to mask their real identity that way. Fortunately, there are other ways to catch a fraudster before falling victim to their scheme: 

  • Verify their mobile number. Has this person ever sent you a text before? Make sure the number they’re reaching out from matches the one in your contacts. If your department maintains an internal list of staff numbers, check it. Of course, if the sender’s number isn’t even available, that should raise a red flag all on its own. 
  • Don’t rely on a single form of communication. Even if the sender’s mobile number or email address is legitimate, don’t forget that devices can be stolen and accounts can be compromised. If the sender’s request seems unusual, don’t be afraid to give them a call, send a message through a different service or even walk down the hall and talk to them. Having a quick conversation could save you from sending money to a scammer. 
  • Vet the sender. If, for whatever reason, you’re not comfortable contacting your colleague, don’t be afraid to ask the sender questions that your colleague should know the answer to. “Which meeting are you in?” or “What is my extension?” could work. You might even consider asking “How did you get my number?” if they’ve never sent you a text before. 

Remember, neither email nor text messaging is inherently secure, and many monetary losses and malicious data exfiltrations come from the simplest of messages. Every communication, especially those involving financial transactions, should be scrutinized for legitimacy, and if something doesn’t feel right, you should verify the message via other means. 

Please know that Information Technology Services is here to help. To learn more about protecting yourself, please read the Avoid Phishing Scams ITS Knowledge Base article. If you receive an email that you suspect is spam, do not reply to the email or click on any links or attachments. Instead, forward it to [email protected] for further investigation. If you think you’ve been a victim of a phishing scam, please report it immediately by contacting the ITS Service Desk at 303-352-7548 or support.msudenver.edu.