Early Bird

‘Can you do me a favor?’

Beware of phishing scams designed to trick you through a seemingly simple request.

By Diane Watkins

August 26, 2021

Please be on the lookout for gift-card scams and other malicious emails. For example, if you receive an email message that looks like it’s coming from your supervisor or co-worker with a subject line or message body asking, “Can you do me a favor?” or something similarly brief, be aware that it may be a scam.

If you reply, they’ll say something like, “Please buy 10 $100 gift cards, scratch off the backs and send me the numbers. I cannot do this right now and am unavailable to talk because I’m in a meeting. I’ll pay you back as soon as possible.” These emails are from scammers trying to trick you into thinking you’re giving the gift-card information to someone you know. 

To avoid being fooled and possibly exploited, follow these steps to check the legitimacy of each email message: 

Watch for the [EXTERNAL] flag in the subject line and a warning note at the top of the message. To help you discern which emails may be fraudulent, every email you receive that originates from a non-Metropolitan State University of Denver email address includes an [EXTERNAL] flag in the subject line and the following warning in the body of the message advising you to use caution:

• Look at the email address.It isn’t enough to see a familiar name in the “From” field. Look closely at the email address that the message was sent from (if you can’t see the address, try hovering your mouse pointer over the name). If the message is a fake, instead of seeing “yourboss@msudenver.edu,” for example, you might instead see “chiefexecutiveofficer8@emailchain.com.” If the attack is targeted, you might even see “yourbossyourcompany@emailchain.com.” If the email address isn’t one you recognize, you’re likely being lured into a scam.
• Check the reply-to address.Email addresses can sometimes be spoofed to appear as though they are coming from a different account. However, you may be able to see the real address if you start writing a reply. If you don’t recognize the address that appears when you click “reply,” you’re likely being lured into a scam. Make sure you don’t send that reply! 
• Don’t rely on email.Even if the sender’s email address is legitimate, don’t forget that email accounts can be compromised. If the sender’s request seems unusual, don’t be afraid to give them a call, send them a text or walk down the hall and talk to them. Having a quick conversation could save you from sending money to a scammer.
• Vet the sender.If, for whatever reason, you’re not comfortable contacting your colleague, don’t be afraid to ask the sender questions that your colleague should be able to answer. “Which meeting are you in?” or “What is my extension?” could work.

Remember, email is not inherently secure, and many monetary losses and malicious data exfiltrations come from the simplest of emails. Every email, especially those involving financial transactions, should be scrutinized for legitimacy, and if something doesn’t feel right, you should verify the message via other means.

Please know that Information Technology Services is here to help. To learn more about protecting yourself, please read the Avoid Phishing Scams ITS Knowledge Base article. If you receive an email that you suspect is spam, do not reply to the email or click on any links or attachments. Instead, forward it to spam@msudenver.edu for further investigation. If you think you’ve been a victim of a phishing scam, please report it immediately by contacting the ITS Service Desk at 303-352-7548 or support.msudenver.edu.