Main Content

Gift card scam

Photo: Staff Unit Information Security

What is meant by gift card scam?

The scam method described here is characterised by the fact that potential victims are persuaded to purchase gift cards and provide the codes to the scammers. The attackers' approach is based on social engineering techniques. In social engineering, it is not the technical device, such as the computer or smartphone, that is the target of the attack, but the person using this device. In addition, scams using gift cards are very popular, and the reasons for this are clear:

  • Gift cards are anonymous and can therefore be used by those who know the code
  • They are difficult to trace after delivery
  • Quick and easy activation of the codes

Due to its high popularity, there are a variety of scenarios in which attackers try to deceive their victims. The following scenarios are the most likely:

  1. Phishing emails 
  2. Phone calls
  3. SMS / messenger messages
  4. Fake competitions on social media or websites
  5. Supposed support staff

Example - How a scam can work (spear phishing):

One of the most frightening aspects of social engineering methods is the targeted search by attackers for vulnerabilities in the curriculum vitae of their victims. This is done with the help of fake identities that are intended to be perceived as genuine. For example, the attackers identify the victim's superiors and use this information for their own purposes - as in this example.

  • 1. Information gathering

    The screenshot shows an email exchange between a university representative and the student Müller. The subject line is “Report to Mr Incogni.” In the message, the university representative informs Müller that Mr Incogni is available this week and next week, and asks him to provide the document to Mr Incogni this week if possible. The message ends with “Best regards, Uni-Representative.”

    Attackers therefore need information about them at the beginning in order to manipulate them in the best possible way. In this example, an ordinary conversation between a student - Müller (name changed) - and an employee of the university was intercepted. The conversation was about informing the student Müller that the professor is available this week and next week and that he should send the document this week if possible.

    Note: An email with time pressure, responsibility and hierarchies is particularly valuable for attackers because they can be exploited in a targeted manner to deceive their victims quickly and easily.

  • 2. Attack

    The screenshot shows the first email in the correspondence between the scammer, posing as Incogni, and the student Müller. The subject is “Available?”. The fake Incogni asks Müller to let him know if he is currently available. The message ends with “Best regards, Prof. Dr Incogni.”

    After a very short time, the attacker contacted us under the stolen identity ‘Incogni’ of the professor consulted.

    Recognisable anomalies:
    - There is no formal greeting.
    - The subject line is very short and contains no further information.
    - The content is limited.
    - The content is aimed directly at you and not at the object of the action.
    - The attacker tries to create as much space as possible so as not to overstep any unwanted boundaries and still arouse the other person's interest.

    What can I do at this point?
    To protect yourself in a professional, private or student context, it is advisable to use alternative contact channels such as telephone or face-to-face meetings if you are unsure. It is advisable to check the e-mail address carefully and compare it with the official data. It also makes sense to ask the person for verification.

  • 3. Exchange

    The screenshot shows the second email in the exchange. Student Müller replies to the first message from the scammer, who is posing as Prof. Dr Incogni. There is no visible subject. In the message, Müller writes that he is on his way back to Marburg and will arrive around 13:30, asking if a meeting is possible today. The email ends with “Many greetings, Müller.” Below this is a quoted message from the previous email, in which Prof. Dr Incogni with the email address desklistme@inbox.ru asks, “Let me know if you are free right now.” The message ends with “Best Regards, Prof. Dr Incogni.”

    Müller replies to the message from the supposed professor and informs him that he will be back in Marburg from around 1.30 p.m. and asks whether a meeting on the same day would still be possible. The e-mail address ‘desklistme@inbox.ru’, which is assigned to the professor, is more than conspicuous.

    Note:
    It is important to exercise caution if a person does not respond to a question or does not answer it in the expected way. In such cases, it is advisable to check the situation with due diligence and take further action if necessary. It is also important to check the full email address. Care should be taken with endings such as ‘.ru’, ‘.cn’, ‘.su’, ‘.tk’, ‘.ml’, ‘.ga’, ‘.cf’ or ‘.gq’. The @inbox.ru used here is also a free e-mail address frequently used by hackers. However, it is important to point out that not every ending is automatically categorised as ‘criminal’.

  • 4. Flattery

    The screenshot shows the third email in the correspondence. The scammer, impersonating Prof. Dr Incogni, writes to Müller with the subject “Re: Available?”. In this message, the scammer thanks Müller for his reply and asks him to purchase several iTunes gift cards at a nearby store, take care of sending the codes by email, and explains they are needed for potential customers. The supposed professor claims to be too busy with meetings to buy them personally and promises reimbursement. The message ends with “Yours sincerely, Prof Incogni.”

    The salutation only appears after a reply has been given. A common approach used by attackers is a polite but intrusive approach to fulfil their wishes, as expressed in the email message ‘Thanks for getting back to my email’, for example. They present themselves as highly involved and rely on the politeness of their counterpart, for example by using the phrase ‘I need your help’. They often exploit power relationships, in this case the attacker pretending to be a professor. In this situation, the person concerned is naturally under pressure. This is because the situation suggests that if they do not fulfil the request, this could have consequences for their studies or work.

  • 5. Feedback

    The screenshot shows the fourth email in the exchange. Student Müller replies to the scammer, who is posing as Prof. Dr Incogni, with the subject “Re: Available?”. In the message, Müller agrees to purchase the iTunes gift cards. The email ends with “Best Regards, Müller.” Below this is a quoted message from the previous email, showing Prof. Dr Incogni’s address as desklistme@inbox.ru.

    At this point, the scammer's claim has been confirmed by the person concerned.

  • 6. Specification

    The screenshot shows the fifth email in the conversation. The scammer, impersonating Prof. Dr Incogni, writes to Müller with the subject “Re: Available?”. In the message, the scammer instructs Müller to purchase four iTunes gift cards, each worth 100, for a total of 400. He asks Müller to scratch off the backs of the cards, take clear pictures of the codes and the receipt, and email them. The scammer also asks how soon Müller can complete this task. The message ends with “Best Regards, Prof. Incogni.”

    About three minutes later, Mr Müller receives a reply. He is asked to purchase four cards with a total value of €100 each and provide them to Incogni. To avoid further procurement problems, the scammer naturally states the total value as €400. He also attaches precise instructions explaining to Müller how he should transmit the gift card data. Of course, in such a way that the scammer can get away with it as anonymously as possible. To round off the attack and create even more pressure, the scammer asks directly when the pictures can be sent.

  • 7. Pressurisation

    The screenshot shows the sixth email in the conversation. The scammer, pretending to be Prof. Dr Incogni, writes to Müller with the subject “Re: Available?”. In the message, the scammer asks Müller to acknowledge the email and requests a quick response. The message ends with “Best Regards, Prof. Incogni.”

    Without a response from Müller, the attacker sends another email within 20 minutes. This serves to build up further pressure. The abbreviation ‘ASAP’ stands for ‘as fast as possible’.

  • 8. Success of scam

    The screenshot shows the seventh email in the conversation. Student Müller writes to the scammer, posing as Prof. Dr Incogni, with the subject “Re: Available?”. In the message, Müller says that the gift cards and the receipt are included in the attachment and shares his bank account details. The email ends with “Best Regards, Müller.”

    The scammer was then sent the voucher card data and Müller's bank details. The initial theft is complete at this point, but the attackers are usually not satisfied with this. Once a victim has been found, they try to steal as much money as possible.

  • 9. Scam trap

    The screenshot shows the eighth email in the conversation. The scammer, pretending to be Prof. Dr Incogni, writes to Müller with the subject “Re: Available?”. In the message, the scammer thanks Müller, confirms receipt of the previous gift cards, and asks if the store sells cards in 200 denominations. He requests that Müller purchase three more gift cards of 200 each and asks for a prompt reply. The message ends with “Yours sincerely, Prof Incogni.”

    So the next enquiry is made straight away. Now with even higher demands. The amount requested has increased from 400 euros to 600 euros. The approach is still the same: to manipulate you in a polite and slimy manner.

  • 10. Repeat

    The screenshot shows the ninth and last email in the conversation. The scammer, pretending to be Prof. Dr Incogni, writes to Müller with the subject “Re: Available?”. In the message, the scammer asks Müller to acknowledge the email and states that he is waiting for a reply. The message ends with “Best Regards, Prof. Incogni.”

    Repeat step 7: Tactics - putting pressure on the person to act.

    The exchange then ended.

How can you protect yourself?

Warning signals

  • The ending and the name of the email sender address, such as "desklistme@inbox.ru"
  • Unsolicited messages or calls requesting quick action
  • Request(s) to buy gift cards or provide codes
  • If organisations request payment methods that they do not normally offer 

Protective measures

  • Keep calm and do not react hastily.
  • For supposedly urgent e-mail enquiries, always verify the contact person by telephone or other secure means.
  • Use private and professional data sparingly - only disclose as much as is absolutely necessary.
  • Check sender addresses in emails carefully, as these are often forged.
  • Take advantage of IT security training courses to familiarise yourself with the latest scams and protective measures.

Please note: When it comes to protection against social engineering (including gift card scams), it is primarily up to you, as you are the target of the attack. You can find further protective measures under: Social engineering

Download our cheat sheet on recognising phishing emails

Visit our IT security training course to arm yourself effectively against cyberattacks

Once the damage is done ...

It can happen that you have passed on gift card codes under stress or through skilful deception. The same applies here: stay calm and act quickly and carefully. Therefore:

Contact the card exhibitor and inform the IT administration!

Keep calm & report an IT emergency.
Please contact your IT administration and/or:

IT emergency number: +49 6421 28-28281
E-mail:

 Help pages from providers: