Cybercriminals are increasingly conning companies into sending gift-card numbers and PINs. Learn about this new trend in business email compromise (BEC) scams and what you can do to defend your business.
Cybercriminals have been using business email compromise (BEC) scams for years because they are profitable. Between June 2016 and July 2019, for example, they used BEC attacks to steal more than $26 billion from companies, according to a September 2019 report.
In a BEC scam, cybercriminals pose as executives and other business professionals to con companies out of money. They typically use spear phishing emails, social engineering techniques, and other tools to carry out their attacks. Until recently, cybercriminals mainly tried to get businesses to send money via wire transfer. But that is no longer the case. Researchers at Agari found that 65% of the BEC scammers now try to get businesses to send gift-card account numbers and PINs.
The payouts from gift-card scams ($1,562 on average) are significantly less than payouts from wire-transfer cons ($64,717 on average), according to the Anti-Phishing Working Group’s “Phishing Activity Trends Report, 2nd Quarter 2019“. However, gift cards are easy to launder and hard to trace, making them the most popular payout method.
How Gift-Card BEC Scams Work
Here is how gift-card BEC scams typically work: Posing as a person of authority (e.g., an executive) at the targeted company, the cybercriminals craft a polished email that is specific to the business being victimized. The recipient will be an employee who is authorized to purchase gift cards on the company’s behalf.
In the email, the scammers will spin a tale of why they need the employee to purchase gift cards for them. Cybercriminals study their victims, so the reason will make sense to the employee. For example, if the company has an “Employee of the Month” award program, the scammers might say that the gift cards will be used to reward upcoming winners. Or, if it is December, they might say they want to give the company’s top clients or suppliers a holiday gift.
The cybercriminals will also tell the employee to send them the gift-card information — including the gift card account numbers and PINs — for their records once the cards are purchased. The most common gift cards requested by BEC scammers are Google Play, Steam Wallet, and Amazon, according to the “Phishing Activity Trends Report, 2nd Quarter 2019”.
The scammers will then send the email using a spoofed email address or hijacked email account to make the email seem legitimate. If the employee buys the gift cards and sends the card information to the scammers, they will immediately cash out the value of the cards.
How to Defend Your Business
To avoid becoming a victim of this type of BEC scam, you should:
- Educate employees at all levels about BEC emails in general and gift-card BEC scams in particular.
- Tell employees to be wary of an email request to buy multiple gift cards or a gift card with an unusually high amount, even if the reason for the request seems legitimate.
- Educate employees at all levels about how to spot spear phishing emails, including how to check emails for spoofed addresses in the “From” field.
- Be careful about what you post on your business’s website. Cybercriminals can use some types of information (e.g., employee job descriptions, email addresses) to determine who to impersonate and who to send the gift-card BEC email to.
If you would like to learn more ways to protect your company against BEC scams and other types of cyberattacks, contact us.
Money unfolding flickr photo by cafecredit shared under a Creative Commons (BY) license
