Security Alert: Office 365 Email Phishing on Campus – March 19


Phishing campaign asking for gift cards


The Office of Information Security has received numerous reports of phishing emails. The emails will appear to come from someone at the WashU manager, director, dean or vice chancellor level. The sender first asks if you’re available. If you reply to the email by responding ‘yes’, the sender requests that you purchase gift cards. (See examples below.)

Ex. 1:


Ex. 2:

Most of these emails are coming from senders with an email address similar to this format,, where the ‘wustlkeyname’ is often an actual WashU staff or faculty member. However, note that the email extension is ‘’ instead of ‘’. Remember, all University students, faculty and staff have an ‘’ email address and faculty, especially, should be suspicious of business requests sent via emails without a ‘’ address.


Do not respond to these emails.

If you receive an email matching this description, forward it to the Office of Information Security ( immediately.

We are currently piloting a method to mark emails from external users, alerting University students, faculty and staff to incoming emails originating outside the University’s Office 365 email system. This external email notification process will launch spring 2019.

Finally, we encourage you to watch this video and review our website to learn more about phishing emails.