Who could ever guess that this year’s most dangerous holiday scam would begin with a phishing email? Yeah, no surprise there. But this phishing attack is quite a bit more sophisticated than most people are used to. You will not be promised romance or an instant fortune. You will only get the satisfaction of doing your job well. So what kind of scam is that?
It seems the scammers are using the fact that many companies will give gift cards to their employees as holiday presents. They may even know which companies routinely do this. In other words, they’ve been planning this attack to coincide with the holiday season. They, then, get a list of managers and employees who work for the company and the scam is ready to begin.
A selected employee will get an email or message that appears to come from the CEO. According to the Barracuda security team, which has been investigating these attacks, the email may look something like this.
In this example, Cynthia would be the CEO or upper level management while Donna would be an employee who knew her and reported to her.
In the next example, the attackers make the message seem more personalized and emphasize that the purchase be done quickly. The message also insists on confidentiality, after all, these presents are meant to be a surprise, right?
Why do both examples mention being sent from a mobile device? Probably to show that the executive is not in the office so it would not be possible for the employee to check out the details in person. It seems that this scam would work better for large companies where there is more separation between executives and staff. A lower ranking staff member may feel intimidated by such a message and may hesitate about bothering a busy executive.
So why weren’t these emails filtered out of the inbox? First of all, the attackers use common free email services with well-known addresses (Gmail, Yahoo). Secondly, they have likely obtained the actual company email addresses of specific employees. This is relatively easy to do. No previous hacking is required. For example, many people on LinkedIn readily give their email addresses so that people can contact them. Some company websites readily give out contact information for their managers. However, if all of this fails, scammers can use sites such as Hunter, which will help you find emails for employees of certain companies.
I’ll give an example. Let’s say I want to use this scam on IBM. (I could have chosen any large company.) It takes very little time to learn that IBM employee email addresses end with the @ibm.com extension. Armed with this information alone, I can go to Hunter and find the following information.
I am given some of these addresses with a few easily deciphered letters fuzzed out. The information tells me that I have the email addresses of marketing consultants, the marketing director, and media contacts. I can get the entire 894 database if I sign up for a free account. What I’m saying is that any company can be vulnerable to this scam and the bigger the company or organization is, the easier it should be to scam.
So, then what? Little information is given on what happens if the employee does buy the gift cards. However, if this scam follows others of this ilk, the scammer, while still pretending to be the CEO, will ask the victim to send the codes on the cards to him or her. This will enable the scammers to purchase something on, for example, Google Play.
They, then, may sell whatever they buy on a legitimate or deep web site.
A more sophisticated scam uses the gift cards to get cash. The scammer offers some popular item for sale on a legitimate site. The price will always be attractive. The scammer doesn’t actually own the item that is for sale, but that doesn’t matter. When someone purchases the item by sending money to the scammer, the scammer uses the gift card numbers they scammed from some company to purchase the actual device that they offered for sale. They buyer never complains (they get what they paid for) and the scammer goes unnoticed. Some gift cards can be redeemed for money under certain circumstances, but this is not an easy process. Keep in mind as well that if a scammer gets control of your Gmail account by, perhaps, sending you to a spoofed Google login page, they can buy gift cards online in your name but have them sent to themselves at your expense.
According to a recent report from the Federal Trade Commission, the use of gift cards in scams has increased 270% since 2015. 42% of those scams demanded payment with Google Play or iTune gift cards.
Retailers have reported that they are suspicious of large orders for gift cards and often question the buyer to make sure they are not a victim of a scam. However, even if they alert the potential scam victim, retailers often report that the victims won’t believe them.
Imagine, however, that an employee for a large company or organization wanted to buy a large number of cards. If they were asked to give a reason for such a large purchase, they could answer that they were buying gift cards for the employees of a large enterprise. This would seem believable, especially during the holiday season, and would remove another roadblock from the goals of the scammers.
Sixty percent of consumers give gift cards as Christmas gifts. Eighty percent of employees say they prefer to get a gift card as a gift. This seems to play right into the hands of this year’s holiday scam. So, if you work for a large company or organization that regularly gives gift cards, be more suspicious of any missive that asks you to buy them. Double check with the person asking you to do this. Even if the request seems valid, always check with them in person if possible. There’s no reason to give company money to these scammers. They’ve received enough gifts already.