I have warned about this scam several times before. The "Online Fraud" module of the Security Awareness course also warns about this exact scenario at the beginning. Link to the course: Course: Course: EN: Security awareness from secaware.nrw | Lernplattform Bauhaus-Universität Weimar

What is this about? The name of a high-ranking person at the Bauhaus University, usually professors or people in management positions, is being misused as the sender of emails (email spoofing), and students or staff are being contacted (CEO fraud). The fabricated emails are always very vague, designed to create a sense of urgency, and to trick recipients into taking actions that harm them and give the attacker a financial advantage.

There isn't much that can be done to prevent the scam itself, because email has always been, and will always remain, an insecure means of communication. Sender names and email addresses can be easily forged without compromising an email account. With free email providers like Gmail (as in this case), the sender name can be chosen freely, and no verification of legitimacy or identity takes place. The data of potential victims is readily available as publicly accessible information on the internet, such as on our website.

The goal of this scam is to gain trust and steal vouchers. If the vouchers are actually purchased and the data is submitted, the money is (presumably) lost forever. We can do nothing for the victims, and it is highly questionable whether law enforcement agencies have any chance of success.

Phishing and other fake emails typically create a sense of urgency. Therefore, if you receive an email that creates this sense of urgency, extreme vigilance is advised, and the exact opposite—calm and deliberate action—is recommended.

The best protection is to be informed, think critically, and react calmly.

You should not respond to such emails; they should be deleted.

Characteristics of the current fake email:

Use of an ominous Gmail sender address instead of the Bauhaus University Weimar email address.

Completely vague subject and content—why so mysterious? You could just state, or at least give a general idea, what it's about.

The personal salutation, closing, sender's name, and the email signature customary at Bauhaus University are missing.

Linguistic errors—as are numerous here—are an indication of a forgery. "I" is never written in lowercase in English, and sentences always begin with a capital letter. The sentence breaks (lacking), commas, and spaces in the second email are completely incorrect.

It is completely absurd and impermissible for a superior to have access to the money of a subordinate, even if it is only meant to be a loan. Anyone who does so puts themselves in a legally precarious position. The person being asked can, of course, always refuse.

If you know the person you are communicating with, any unusual characteristics in the communication should raise suspicion. If you are suddenly addressed informally when you usually use formal address, or vice versa, this would be an indication of forgery. The same applies if the salutation or closing greeting deviates from the norm, is missing, or uses language that is not typical between the two parties.

--Fake Emails-- [subsequently anonymized]
From: First name Last name (hshshsujsjs3@gmail.com)
Subject: Are you there?
Can I hand over a task responsibility to you?
---
From: First name Last name (hshshsujsjs3@gmail.com)
Subject: Re: Are you there?

Are you familiar with Apple Gift Cards,i need you to help me get some from any nearby store there are some prospects i need to send them to but i am currently in a meeting,let me know if you can get this on my behalf and i will refund you later.