This semester, students, faculty and staff at Ithaca College have seen an increase in a particular email scam sent by phishers posing as potential employers, supervisors or tech support.
Through these emails, criminals trick people into buying iTunes gift cards and giving them the 16–digit activation code, which allows phishers to effectively gain access to the money on the cards without paying for them. In order to make real money, the phishers then sell the activation codes at discount prices to make a profit. This increase in iTunes gift card scamming follows the implementation of the Duo Multifactor Authentication system, which is not attuned to catch this type of scam.
Tom Dunn, associate director in the Department of Public Safety and Emergency Management, said that only a few students have fallen for the scam, but that it is hard to get their money back if they have given away the codes.
“We have a couple of cases where we have victims of financial loss that we are looking into,” Dunn said. “I will tell you, in general, these type of phishing cases are difficult to solve because sometimes it goes either out of state or out of the country.”
During Fall 2018, the college required students, faculty and staff to download Duo Multifactor Authentication, an added security feature to better protect their email username and passwords.
David Weil, associate vice president and chief information officer for Information Technology, said that while Duo Multifactor has been effective in protecting students from having their email usernames and passwords stolen, it cannot stop them from receiving these types of emails or sending codes to phishers.
Weil said that although the college also has security filters in place to block suspicious emails, if the college put a filter blocking all emails with the words “iTunes gift cards” in them, it would inconvenience many members of the campus community and block legitimate emails. Weil also said that even if there was a way to combat the scheme, the phishers would just come up with a new scam.
Since Duo Multifactor cannot combat the gift card scam and some emails are still leaking through, the outcome of the situation is largely up to the discretion of students. For this reason, Jason Youngers, director and information security officer in the Department of Information Security, said he encourages everyone to be cautious.
“Everyone should expect they will get messages like these,” he said. “The key thing is to look at the underlying pattern of asking you to do something unusual.”
Weil warns that in this type of scam, there is often a series of email exchanges where phishers build trust between themselves and students, ultimately convincing their victims to buy gift cards for them.
One common email that students at the college have received is from phishers posing as potential employers offering job opportunities. In this case, a phisher might offer students a job and eventually have them buy gift cards and send codes under the promise that they will be reimbursed. The fact that the phisher and the student have already emailed back and forth makes the “employer” seem trustworthy and the request less out of the ordinary.
“It seems legitimate,” Weil said. “You think you are having one of these jobs where you do some errands and you’ll get $15 an hour, but it’s all a scam.”
Youngers said that phishers have switched to gaining money through gift cards rather than actual cash or credit because it raises less suspicion.
“People are very leery about giving out credit card numbers and bank routing numbers, but they seem to be less prepared for the idea of a gift card being stolen,” he said.
Weil added that while the college has numerous security measures in place, this new scam often allows phishers to bypass existing email filters.
“I think we do a very good job of blocking probably a thousand or tens of thousands of messages a day to IC faculty, staff and students,” Weil said. “However, someone sending an email that is relatively innocuous can’t be blocked.”
Weil, Youngers and Dunn all said the problem is not confined to the college.
“I’ve spoken with colleagues at other institutions, … and they’re all seeing this stuff,” Youngers said. “There’s nothing specific to our email system.”
Around one–third of college students are victims of phishing scams. Youngers said it is unclear where the phishers come from.
Weil said the college will bring in someone from the FBI Cyber Division to educate students on internet safety as part of the college’s annual Educational Technology Day on March 21 as another way to help protect students.