Gift Card Scam Explained

A widespread campaign is currently impersonating district employees in an attempt to solicit iTunes gift cards.  Gmail and other common mail domains are used to impersonate management and other staff in these attacks.  The phish will typically start with a simple message to recipients:

Subject: Are you on campus Available?

After potential victims respond, the scammer will reply claiming to be unavailable by phone:

I'm in a meeting right now and that's why I’m contacting you through email. I should have call you, but phone is not allowed to be use during the meeting.I don't know when the meeting will be rounding up, And i want you to help me out on something very important right away.

Eventually, you'll be solicited for a number of gift cards, and they'll request you scratch the back of the cards and provide the codes. 

How to avoid becoming a victim

This attack is sure to change overtime.  Protect yourself from this and future attacks:

  • Always verify non-routine purchases by phone
  • Never provide gift card codes to someone you don't know
  • Verify the domain name(e.g. vcccd.edu) matches the identity claimed by the sender
  • Do not attempt to mess with scammers, replies from vcccd.edu addresses may delay incident response
  • Report phishing to emailabuse@vcccd.edu

You can read more about this at Apple's website.