The gift card scam

Sometimes a scammer will gain access to a person’s email account in order to pull off a somewhat more elaborate fraud. This guide describes a common example known as the gift card scam. To make it easier to follow, we’ll give the initial victim a name: Joe.

A scammer has broken into Joe’s account, most likely by tricking him into disclosing his password with a phishing message. The scammer gathers email addresses known to Joe, either from his contacts list or by harvesting recipients from his previously sent emails.

Next, the scammer sends out a brief, innocuous message to these contacts – possibly hundreds of people – saying something like:

• “Are you available?”
• “I wonder if you could help me with a favour.”

Consider that the recipients – most of whom will be Joe’s friends, family or colleagues – may find this indistinguishable from a genuine message. Even if the writing style or the nature of the request is out of character, the human desire to help a person in need is stronger.

Furthermore, since this is a simple email – with no attachments or suspicious links – it’s unlikely to trigger any technological warning systems either.

The scammer might also try to deter recipients from replying by phone:

• “I can’t call because my phone is broken.”
• “Please email. I have laryngitis so it hurts to talk at the moment.”

Meanwhile, the scammer does some further preparation. They open a new, free email account with an address similar to Joe’s. Then they activate the option in Joe’s account to redirect all incoming mail to this new address.

When people start responding to the request for a favour, the messages don’t reach Joe — they’re forwarded to the scammer, who replies to them individually with a heartfelt plea:

• “I’m in hospital and need to get a present for my daughter’s birthday. Would you mind popping to the supermarket for a PlayStation gift card, and sending me a picture of the code? I’ll reimburse you when I’m home.”
• “I’ve had my wallet stolen. I need to buy some things, but my replacement bank card won’t arrive till next week. Please could you buy an Amazon gift card and let me know the code to redeem it?”

The scammer is now engaging with these people directly from the new email address they set up to impersonate Joe. Even after Joe secures his account and turns off the mail redirection, the scammer can continue.

They redeem the gift card and spend it immediately, buying merchandise to sell on. The money has been quickly and effectively laundered!

Scams like this have become rife in recent years. It’s important to be wise to them, and not expect that your bank will bail you out.