Iowa City residents scammed by UI email offering free baby grand piano

A phishing scam through university-affiliated email accounts almost fooled an Iowa City resident, leading her to feel frustrated and fearful.

Matt Sindt

Photo illustration by Matt Sindt.

Isabelle Foland, News Reporter


The false promise of a free grand piano led several Iowa City community members to fall victim to a scam known as phishing.

Many UI and Iowa City community members received a scam email from University of Iowa affiliated email accounts about an individual attempting to give away a free 2014 Yamaha baby grand piano, which is valued at around $6,000. 

Phishing is a type of scam that attempts to gain a person’s personal data, such as a bank account or account login information, by pretending to be a trustworthy business or person. 

One community member, a 55-year-old Iowa City mom, said the scam was stressful for her. 

The Daily Iowan granted anonymity to the source because of the sensitive details around the topic. 

She first saw the scam after a trusted friend forwarded the email to her. The email stated the piano was being given away by a widow who urgently needed to get rid of it. Multiple versions of the email were curated and sent to the university community.

The fact that the email came from a UI account also added to its credibility, the Iowa City mom said.

“I saw that my friend who forwarded me the email was offered the piano by someone who had a UIowa email address,” she said. “So, I thought maybe this is the woman or a next-door neighbor.”

The email provided a phone number to contact, so the Iowa City mom reached out and was in contact with them for two days.

She and her husband had been debating whether they had space for the piano, so she decided to get the piano but donate it to her son’s school. This decision ultimately led her to figure out it was all a scam, she said.

“I was starting to contact the scammers and say the high school wants it, and then I started to Google the name of the company they sent to me,” she said. “I noticed this isn’t in Cedar Rapids — it’s not even in Iowa — and then I asked them, ‘Where is the piano?’ and they said Georgia.”

After digging some more, the source said she found several reports about the same email being a scam. After a person accepts the piano, the fraudulent moving company asks for money to help ship the piano to their location but never actually ends up doing so, she said.

These kinds of scams are common for the UI’s information technology staff. Nicole Dahya, the UI’s director of strategic communication, said the university blocks around 704,000 suspicious external email messages from reaching UI email accounts per day.

This kind of fraud can also be seen on a state and national level. According to the Federal Trade Commission’s website, the organization received 1.6 million fraud reports nationwide last year. 

RELATED: University of Iowa Hospitals and Clinics websites face outages after cyberattack

Iowa lost $19 million to 8,725 fraud reports last year, according to the Federal Trade Commission.

Warren Staal, UI Information Technology Function Representative, said in the case of the baby grand piano scam, because the scammers used a university email account, it made it easier for them to reach others in the UI. Staal said these controls typically do not block messages from university email accounts.

The emotional appeal and sense of urgency used in the messages is how phishing scammers persuade their victims to fall for their scam, he said.

Staal said these scams happen because scammers go on the dark web and purchase “phishing kits,” which help them hack into an organization such as the UI and gain email addresses of the staff and students. 

Once the scammer has access to several email accounts, they will send out their scam to a small group of people. From there, they will try to steal login information to continue to infect accounts, steal money, or both, Staal said.

There is not much the UI can do to stop these kinds of attacks completely, Staal said, but there are several controls in place to prevent accounts from being hacked.

“We have systems that check for email accounts that send out huge voluminous amounts of email that aren’t approved to do so, and then we reset their password and contact the individual and tell them that the account was compromised,” Staal said. “We also have implemented a bunch of other technical controls such as multi-factor authentication.”

Even if no money has been stolen, the emotional toll of these scams can still weigh heavily on victims.

Despite cutting contact with the scammer, the Iowa City mom said she feels fearful that the scammers will still be able to breach her personal information.

“I realized I could be the next person who gets a phone hijacked because I’ve given them my name and telephone number,” she said. “Maybe they have a way to get into my phone that I’m just not aware of … or they could start applying for things using my name and telephone number, so I’m a little on high alert still because of that.”