Beware phony gift card email scams: Here's why attackers love using them

Two thirds of email attacks targeting the enterprise are fake gift card requests from the boss. Individual attacks don't pocket attackers much, but widespread campaigns can be highly lucrative - and difficult to trace.
Written by Danny Palmer, Senior Writer

Phishing attacks targeting business email continue to rise, with cyber thieves adopting a simple technique to trick employees into handing over money.

Gift card requests aren't a new tactic, but despite having a low success rate, criminals are successfully squeezing cash out of victims by targeting large numbers of people.

The attacks have been around for a long time and are based around phony requests from bosses or co-workers to buy gift cards, Due to the ruse being centred around purchasing gifts, victims are also more likely not to tell colleagues about the request.

The target is asked to purchase the gift cards – most commonly Google Play, Steam Wallet, Amazon, Apple iTunes or Walmart cards – then to send the codes to the attacker by email.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Email security company Agari's newly released Email Fraud and Identity Deception Trends report examines the attack landscape and says gift card fraud now accounts for two-thirds of business email compromise (BEC) attacks.

The average amount requested in these attacks is around $1,500, while more ambitious attackers can request up to $5,000. While the chances of such an attack being successful might seem unlikely, Agari has previously said attackers often focus on smaller organisations, such as provincial town schools and school districts, charities, hospitals, churches and universities.

Gift card fraud provides attackers with certain advantages. They can repeat the scam against hundreds or even thousands of victims, which can soon turn payments of a few thousand dollars a time into a much larger sum. Gift card fraud also provides criminals with more targets, because they're not restricted to finance departments.

"One of the notable aspects of gift card BEC attacks is that they make all employees a target. Instead of solely focusing on finance or HR employees like other forms of BEC attacks, scammers impersonate a wide variety of identities on the corporate ladder to widen the scope of their attacks," Crane Hassold, senior director of threat intelligence at Agari Cyber Intelligence Division, told ZDNet.

"While the success rate does not seem to be higher compared to other types of BEC attacks, because the volume of attacks is generally much higher, scammers have more opportunities for success"

The attacks also provide cyber criminals with the advantage of anonymity, as it's almost impossible to track down gift cards that have been illicitly acquired. The attackers can either sell the codes they gained for free for a profit with the proceeds laundered through cryptocurrency exchanges. Alternatively, the codes could simply be used to make purchases.

While successful and on the rise, gift card BEC attacks are typically simple phishing campaigns that – in theory – can easily be countered.

"One of the best ways to protect against these attacks is to simply confirm a purchase request with the supposed requestor to confirm its authenticity," said Hassold.

"Enterprises should also raise awareness that most cyberattacks today are not necessarily technically sophisticated, so email defenses and security awareness training should include a focus on these types of non-technical, social engineering attacks," he concluded.

BEC scams continue to cause large financial losses for organisations – last year, US organisations alone lost $1.3bn to these attacks.


Editorial standards