With the holidays around the corner, everyone should be extra vigilant, as a gift card scam has become the go-to spear phishing technique.
According to a new study from Barracuda Networks, attackers use social engineering to trick office managers, executive assistants, and receptionists into sending attackers gift cards. The message claims it's for employee rewards, such as holiday surprises. With everyone slowly getting into the holiday cheer, chances are higher than ever for the scam to be successful.
The security company noticed that in early October a new trend arose - social engineering attacks were growing in number. The goal of the scam is to have the target send the attacker gift cards. More commonly, employees hit with the scam work as office managers, executive assistants, or receptionists. These are all people who are more likely to handle such orders from the company leadership. As with many other similar campaigns, the emails appear to come from the CEO of the organization.
While some of the emails employees received mention the purchase of Google Play gift cards, others are vague about it and just mention "the store," indicating the scammers don't really care where they come from as long as they get to cash them in somehow.
Lior Gavish, VP for Engineering and Email Security at Barracuda Networks told TechNadu over email that the most common gift cards requested by the scammers are Amazon, Apple iTunes, Google Play, Walmart, and PlayStation. All emails have in common the urgency transmitted through the phrasing. Basically, the attackers are putting pressure on the targets to act quickly.
The emails didn't contain any malicious payloads, so they go undetected by most security services. This means, you have to extra vigilant to notice them, or to have specialized help. Plus, having AI-based security solutions will also help out quite a bit, especially since these are tools specifically made for corporations, big and small.
When you're in a hurry to get things done and comply with orders given by CEOs and other high-level employees, you might very well miss the fact that the email address the message is coming from is fake. So, we wondered if employees commonly fall for this type of attacks.
"Yes. We’ve been contacted by multiple companies for our solution after they had purchased and given away the gift cards. The attackers can make the email very convincing through impersonation, urgency, and timing," Gavish added.
What do you do to stay safe online? Tell us in a comment in the dedicated section below the article. Please, if you can, also share the article online and follow TechNadu on Facebook and Twitter.