BEC Scam Gift Card Scams

Download as pdf or txt
Download as pdf or txt
You are on page 1of 1

https://www.forbes.

com/advisor/personal-
finance/gift-card-scams/

BEC Scam: Gift Card


Scams
Robert Jordan III Follow
Information Security
Leader & GRC nerd
Published Dec 13, 2023

Business Email Compromise (BEC) is a


common threat to businesses and
individuals that has totaled global losses
of at least $51B between 2013 to 2022.
There are a number of BEC scams that
impersonate CEO’s or executives at an
organization via social engineering with
the goal of financial gain through some
type of funds transfer such as wire
transfers, invoice payments, payroll, and
gift cards. In this article I highlight gift
card scams; what the scam is, how the
scam is designed and active measures
organizations can take to mitigate the
impact of this scam.

What Are Gift Card Scams?

Gift Card scams are another low risk / high


reward activity for cybercriminals. Low
risk as it’s difficult to trace the activity and
easy to perform at scale (hundreds of
thousands of emails messages delivered
to thousands of companies). High reward
as there have been $1.9M of reported
losses in Gift Card or Gift Card Reloading
scams in the first three quarters of
2023.

Like other BEC scams, Gift Card scams


start with a phishing email or a text
message to an employee's personal
phone. A simple email posing as the CEO
or other executive at the company to an
employee if they can assist with a quick
task. The task is to purchase some gift
cards and send the card numbers on the
back. The messages are often time
sensitive which pressure the recipient to
act quickly. This scam preys on those
employees that want to be helpful.

How the scam is designed

The cybercriminals will start by scrapping


names and titles from LinkedIn and cross
referencing this with other known breach
data to gather email addresses and phone
numbers for an organization. They can
often buy lists of this data as well. These
lists will be reused for a number of BEC
scams.

Once armed with names, titles, phone


numbers and emails, the cybercriminals
will spam employees directly at a company
attempting to get a reply. The criminals will
use several free mail services to send their
mail from (gmail.com; icloud.com; mail.ru
etc), though most will originate from
Gmail. In some cases they will create a
new domain for their campaign. In more
sophisticated cases, they will create a
look-a-like domain using typosquatting
techniques.

They often target employees who are new


to the company or have a recent job title
change at LinkedIn. The assumption here
is that new employees are more likely to
be helpful. When texting, they will often
deliver the message late on a Friday or
over the weekend.

The messages are often sent to more than


just one person within the organization in
the hopes that one will reply. Should the
cybercriminals receive a reply, the
cybercriminals give some reason to need a
gift; for a client; for other employees; to
help a sick child. They request the
employee to immediately go to a local
store and purchase multiple types of gift
cards and send the codes from the back
of the card.

The messages may also move from email


to another messaging system, such as text
message or WhatsApp. This hides the
conversation from security teams at
companies. The messages will often
state that the employee will be reimbursed
for their effort, sometimes with interest.

Once the codes are delivered, the


cybercriminals pull the funds off the
cards. Stolen funds are often not
recovered after the scam is discovered.

How the scam looks

The first email is often just a few lines.


The email name will impersonate the CEO,
in this case Bob, but the email will come
from outside the company, often from
gmail.

https://usa.kaspersky.com/blog/what-is-bec-
attack/21158/

The email could also jump to another


communication channel such as this
example.

https://www.thesslstore.com/blog/how-to-spot-
protect-against-business-email-compromise-bec-
attacks/

Once the employee replies, the criminal


requests that the employee obtains the
gift cards urgently.

https://www.proofpoint.com/us/blog/threat-
protection/understanding-bec-scams-gift-card-
scams

Here is what the scam may look like as a


text message to an employee's personal
phone. The cybercriminals take this route
as it can bypass many protections that are
set for corporate email.

https://cofense.com/blog/bec-ceo-gift-card-scams/

Ways to detect and prevent gift card scams

People often hold the recipient of the


message responsible as they should
carefully check the message for telltale
signs of a scam, but I do not agree. Putting
the responsibility solely on the recipient is
inappropriate and will often fail. Here are
some additional controls to help prevent
and detect this scam.

Alert and educate your company about


this scam. State that no executive will
ever ask for gift cards. Ensure this is
highlighted on Day 1 training.

Have a defined procedure on how to report


suspicious emails or text messages.
Encourage your employees to use this
procedure often.

Purchase and park look-a-like domain


names to prevent criminals from using
them against you.

Email logs should be sent to a SIEM or log


aggregator. Alerts should be triggered for
email spoofing (mails that look like they
are from the company but are sent from
outside mail systems).

Add a secure email gateway that looks and


blocks multiple types of BEC; alerts when
messages are received from domains that
were recently created; alerts for spoofing.

Enable the “external email warning” banner


to emails.

Ensure email accounts are protected by


Multi-Factor authentication to reduce the
risk of account takeovers.

Recovering from Gift Card Scam

The company should reimburse the


employee for the loss. The security team
should create and document the incident
following your Incident Response
processes. In most cases, the financial
loss can not be recovered and is
immaterial to claim. However, you should
report the incident to your cyber insurance
carrier as a non-claim report.

Add a comment...

More articles by this author

Crypto Investment Scams Periodically ch


Feb 14, 2024 air filters and o
controls
Dec 28, 2023
See all

Insights from the community


E-commerce

How can you protect your online payments?

Consumer Electronics

How do you avoid scams and frauds when


shopping for electronics online?

Payment Systems

How can you protect your personal and


financial information when making online
payments?

E-commerce

What's the best fraud prevention tool for


your e-commerce site?

E-commerce

How do you inform customers of e-


commerce fraud?

Financial Services

How do you spot and stop card-not-


present fraud in e-commerce?

Show more

Others also viewed


Business Email Compromise -
Gift Card Scams
Rachel Ewart · 3y

No Shame Security
Stephen Semmelroth · 3y

Gift Card Millionaires: The Grey


Area of Cyber Fraud
Mobolaji "Manny" Moyosore · 4y

App store gift card scam,


shouldn’t Apple undertake
Corporate Social Responsibility
(CSR)?
Livia . · 3y

How to identify a scam email


Marco Tapia · 4y

BEWARE OF HOLIDAY
SCAM
Jeannine Keen, MS · 5y

Show more

Explore topics
Sales

Marketing

Business Administration

HR Management

Content Management

Engineering

Soft Skills

See All

Like Comment Share

You might also like