Stay vigilant against Email Scams

CHARLES CHOY, HEAD OF CYBERSECURITY OPERATIONS

ITSC has recently several reports of email scams from senders claiming to be a senior executive of the university (e.g. your department head). The scammers usually use non-HKUST email addresses but with Display names identical to the person you know (e.g. <Professor Chan Tai Man> chantaiman@gmail.com).

They will usually try to initiate an email conversation, trick you into purchasing stored-value gift cards (e.g. iTunes) and ask you to send the redemption details to them for benefits. An example can be found here.

Such email scams have also been reported in some universities of Hong Kong and overseas. Apple has also issued a webpage to warn users about similar email scams. For more information, please visit

Apple - https://support.apple.com/en-hk/itunes-gift-card-scams
HKU - https://www.its.hku.hk/spam-report/20190904-wednesday-reply
University of North Texas - https://www.unthsc.edu/daily-news/are-you-available-beware-of-email-fraud-attempts-2/
University of Minnesota - http://phishing.it.umn.edu/2018/11/advisory-boss-needs-itunes-gift-cards.html

To assist you in determining whether an email received is a scam or not, ITSC has introduced the following:

The email system will attempt to detect and add the following eye-catching warning message to emails with suspicious senders:

[ALERT] : The sender of this email may not be affiliated with HKUST. Be cautious!

As a recommended email client to the HKUST community, Microsoft Outlook (for desktop client only) offers an anti-spoofing capability that provides anti-spoofing features for detecting suspicious emails. For further details, please see:

https://itsc.ust.hk/services/general-it-services/communication-collaboration/email/exchange-online/anti-spoofing

We would like to remind all UST members to take the following steps to protect yourselves against common email fraud.

Check carefully the email and the sender’s email address (not the Display name), and make sure you really know the sender’s identity before doing what you are asked to do
Try to contact the sender in another way (e.g. phone, official email addresses, instant messaging) to verify his/her request
Be vigilant about the requests. It is uncommon that your seniors need to request you for financial assistance via email