IT Notice: Executive impersonations and gift card scams


Please Note: Your dean, professor, instructor, supervisor, or colleague will never send you an email asking you to buy gift cards or send them gift card codes.

 McMaster’s Information Security Services team is advising students, staff and faculty to be aware of current online phishing and spoofing attempts involving executive impersonations and gift card requests.

What are gift card phishing scams?

Executive impersonation and gift card scams are a type of phishing where criminals typically pretend to be someone of authority from McMaster. The fraudsters try to trick you into purchasing online gift cards (e.g. Amazon or Google Play), or something similar that can be given as a reward. There continue to be many reports of this scam, including at other academic institutions, and the frequency seems to be increasing. No one at McMaster will send you an email asking you to buy gift cards or send them the gift card codes.

How does the scam work?

The fraudsters typically create a using gmail or another free email provider that resembles a person with authority from McMaster. This is called spoofing and these emails are not legitimate. The fraudsters try to convince you that they have an urgent task or need a quick favor to purchase gift cards and to send them the gift card codes. The scam works because people generally want to help others, especially those with some authority in the organization. Unfortunately, it is difficult to identify the sender and hold them accountable.  

Steps to protect yourself – Identify, Report and Delete

Learn to identify when a message is fraudulent, report, and delete the message. Here are a few things to look for:

  • Email subjects are typically “Are you available?”, “Do you have a moment?”, “Can you do me a quick favour?”, “Quick task for you…”, “Important Task”, etc.
  • From/Reply-To email address is not from the @mcmaster.ca domain. Hover over the sender’s name in the message to see the “reply-to” address and review it carefully. If it is not @mcmaster.ca, it is not a legitimate message.
  • Sense of urgency or very brief message. A few examples, “Currently in a meeting and need you to buy me $100 iTunes gift cards”, “Give me your cell number. I need you to do a quick task”, “Need a quick favor. just reply to my email”, etc.
  • Message has poor formatting, grammar, or spelling.
  • The style or signature isn’t quite right. Does the message appear like other messages from this sender? If something doesn’t seem right, it’s likely a phish.
  • If rewards or prizes of small monetary value are required for any reason, the decision and authorization for their purchase should be done in person.
  • Never reply or talk to the fraudsters since they may try to lure you further into the scam.

If you do receive one of these messages, please report the message to is-spam@mcmaster.ca, then delete the message. If you’d like to increase your cyber security awareness, there are a number of McMaster IT Security resources available, including: