Keyboard with money being taken away by a fishing hook

‘Business email compromise’ scam sent to university recipients over the holidays

A memo from Bob Turner, Chief Information Security Officer and Director, Office of Cybersecurity:

The holiday season is a time for celebration and taking time off to enjoy family and recharge for the new year. Unfortunately, it is also time for cyber criminals to take advantage of distractions in our normal work processes. 

Beginning Thursday, December 26, a criminal element began sending emails with a subject line “Request..” to key university recipients asking if that person had time to handle a quick task. The email used a spoofed address for a senior leader, usually the recipient’s supervisor. When recipients responded, they received a return email requesting that they arrange a purchase of eBay gift cards (see example below):

“Okay, I’m in a meeting, i need ebay gifts card purchased, let me know if you can quickly stop by the nearest store so i can advise the quantity and the denominations to procure. Turn in the expense for reimbursement later.”

This is a classic business email compromise (BEC) scam where a spoofed email from a university official is sent to employees asking them to contact that official for an important task. The email is then followed by a request to perform a function that could end up with that employee committing an act that results in monetary and reputational risk to the university.

You can often spot the errors. For example:

  • The university does not pay bills with gift cards
  • The language is not in the character of the actual university official
  • The message contains obvious spelling and syntax errors
  • A close look at the sender’s address will usually indicate that the message is not from the official email account

If you receive a message like this, please check for the classic email phishing signs (you can find them here), and report suspicious email to the Office of Cybersecurity. You can do so by filling out this online form or by forwarding the email to abuse@wisc.edu. Suspected scam email can also be reported using the “report spam” feature within the Office 365 web or desktop email client.

If you are ever unsure whether an email message is legitimate, do not respond to it. Contact the DoIT Help Desk at 608.264.4357 for advice. The Office of Cybersecurity will then block the criminal element from sending further email and gather evidence for eventual prosecution of the crime.