Deakin Account Compromise Powers Multi-Stage Gift Card Scam

5-min Read0 Comments

  • Account Compromise
  • Phishing
  • Gift Card Scam
  • Impersonation Scam
  • Consumer Safety

A compromised Deakin University account sent scam emails before moving victims to phone calls demanding gift card payment for fake free items.

Deakin Account Compromise Triggers Two-Stage Scam Campaign

A compromised Deakin University email account was used over a single weekend to send thousands of scam messages to students, staff and external contacts, according to a security advisory published by the university. The attack illustrates a pattern increasingly reported across Australian institutions: credential theft that converts a legitimate inbox into a launchpad for further fraud.

Reporting from Deakin University's security team indicates the campaign unfolded in two stages, beginning with phishing messages disguised as Microsoft 365 file-sharing notifications and ending with phone-based gift card requests.

What the Reports Describe

The first stage involved a fake Microsoft 365 file-sharing email that prompted recipients to click a link and sign in. The link redirected to a fraudulent login page designed to capture Deakin credentials. Once the attacker obtained working logins, they used a legitimate Deakin mailbox to send a second wave of scam emails to thousands of recipients, offering high-value items at no cost.

The advisory notes that anyone who expressed interest was steered off email, often onto a phone conversation, and then asked to pay a shipping fee using gift cards, vouchers or prepaid cards. The university flagged the gift card request as a major red flag, a position consistent with longstanding guidance from Scamwatch.

Why This Pattern Works

Compromised-account scams succeed because they bypass the simplest defence: checking the sender. The emails came from a real deakin.edu.au address, not a spoofed lookalike. Several factors made the lure effective:

  • The offer involved free expensive items, which lowered scepticism
  • Communication moved from email to phone, making independent verification harder
  • Payment was introduced only after rapport was built
  • The payment method was gift cards, which are irreversible once redeemed

The phone-channel pivot is the part most relevant to Australians checking unknown numbers. Once a scammer obtains a phone number through an email exchange, follow-up calls and SMS can arrive without warning. Community reports collected by Reverseau show this pattern frequently in gift card scams targeting university students, where the initial contact often arrives through a trusted-looking channel before shifting to voice.

Pattern and Wider Context

The Deakin incident lines up with broader Scamwatch figures showing gift card payment requests remain one of the most common indicators in Australian impersonation scams. Universities have been targeted repeatedly, in part because student mailing lists are large and a single compromised mailbox can reach thousands of contacts within minutes. The Australian Cyber Security Centre has previously warned about credential phishing kits that specifically clone Microsoft 365 login pages, which matches the description in the Deakin advisory.

The move from email to phone also reflects a wider tactic. Scammers prefer voice calls because they remove the written record, allow social pressure in real time, and let the caller adapt as the target asks questions.

What Australians Should Do

If you receive an unexpected message offering something valuable at no cost, particularly from a contact who then asks to switch to phone or a messaging app, treat the interaction as suspect.

Do:

  • Verify unusual requests through a separate, known channel before responding
  • End the call on anyone who asks for payment in gift cards, vouchers or prepaid cards
  • Review recent sign-in activity on Microsoft and other cloud accounts
  • Change your password immediately if you entered credentials into a suspicious page

Do not:

  • Approve multi-factor authentication prompts you did not initiate
  • Send money via gift cards under any circumstance
  • Re-enter your password after clicking a link in an unexpected email
  • Continue a conversation that has suddenly shifted from email to a personal mobile number

How to Report and Check Numbers

Suspicious phone numbers that follow up on email scams can be checked against community reports on Reverseau. If a number contacted you in connection with a gift card request, free item offer or impersonation of a university, government agency or delivery service, search the number and add a report so other Australians can recognise the pattern.

To report a scam:

  • Forward scam SMS to 0429 999 888, the reporting line operated for Scamwatch and the ACCC
  • Report phishing emails to Scamwatch at scamwatch.gov.au
  • Report cybercrime and credential theft to ReportCyber at cyber.gov.au
  • If you entered credentials, contact your institution's IT service desk to revoke active sessions

Reverseau's community signal works best when contributors add detail after a suspicious call: what the caller claimed, what payment method was requested, and whether the contact followed an earlier email or SMS. Linking the channels in a single report helps other Australians identify the same scam when it lands in their own inbox.