Quick. You just got an urgent email from the president of your company asking you to purchase gift cards for everyone in the office. You need to respond quickly for further instructions and keep it quiet because it’s a surprise. What do you do? How would a more junior member of your team respond?
Just in time for the holiday season, cyber criminals are putting a new twist on a phishing attack with a large-scale impersonation campaign. The attack focuses on tricking office managers, executive assistants, and receptionists into sending gift cards to the attackers, claiming it’s a reward for employees, maybe even a holiday surprise for the whole office. Given how common it is for companies to give gift cards to employees this time of year, the specific request is interesting and demonstrates how targeted these types of attacks are getting.
Social engineering has always been a powerful weapon for cyber criminals, allowing them to use context and timing to talk unsuspecting victims into doing what the attacker wants. This tactic is especially powerful when the attacker also impersonates a high-ranking executive. Often targeting a low or mid-level employee, the attacker can trick the victim into taking a certain action, simply by sending a well-timed email with highly relevant details and context, without including any malicious links or attachments that would get picked up by email security.
Researchers have seen an increase in social engineering attacks where the goal is to get the intended victim to send gift cards to the attacker. Cyber criminals know that many organizations are asking employees such as office managers, executive assistants, and receptionist to buy gift cards for everyone in the office, now that the holidays are coming up soon. Using this common practice to their advantage, attackers are targeting people in these roles, often impersonating the CEO or president of the company. This puts added pressure on the employee to act on the request quickly and make the transaction happen.
Why these attacks are succeeding
Researchers have seen four common tactics used in these gift card phishing attacks, which are helping the cyber criminals succeed.
The first tactic is impersonating a CEO or someone else in a position of authority. As I mentioned, this tactic puts pressure on the employee to respond quickly without thinking to closely about the request and how it would usually be handled. Because, of course, the employee will want to keep the CEO happy and make a good impression.
The second tactic is asking for secrecy. It might make sense at first that someone would ask you to keep a request like this confidential. After all, the gift cards are likely intended to be a reward for the staff or a holiday surprise. But it also prevents the target from talking to someone who might raise questions about the request and seemingly helps justify sidestepping any usual protocols that may be in place for a purchase of this kind.
The third tactic that attackers are using in this campaign is incorporating relevant details into the emails. This means attackers are doing their research on the company and the people they’re targeting, either leveraging publicly available information or compromising an employee’s email account and watching for useful information.
For example, one email that researchers found was sent to a multi-national business, and it implied that they would need to buy gift cards in different currencies, which fit with how the organization operates. Another sample asked specifically for Google Play gift cards, and it’s possible the team had already discussed purchasing those particular gift cards.
The fourth common tactic is creating a sense of urgency. Many of the emails use language that encourages the employee to respond as soon as possible, e.g. “Do get back to me” or “How soon can you get this done?” The attackers even included an email signature advertising that the email was sent from a mobile device. This implies urgency and suggests that whoever the attackers are impersonating is out of the office and can’t be reached to confirm the request.
How to protect your organization
This type of attack, which relies on social engineering to succeed, is difficult for traditional email security to detect because the emails don’t contain a malicious link or suspicious attachment. AI-based email security is better at detecting these types of phishing attacks because those solutions learn the specific context of the organization and can catch anomalies and red flags, such as the urgent call to action and the request for a financial transaction.
Another important tool your organization can put in place to help avoid falling victim to this type of attack is providing regular security awareness training for employees. Regular training and phishing simulations can help employees learn how to spot attacks like this. It’s also smart to establish procedures on how to verify financial requests that come in through email before those transactions are completed. If you already have them in place, a providing refresher on them could help avoid having an employee, whether they’re an office manager or part of the finance team, avoid making an expensive error.
Asaf Cidon is vice president of content security services at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company’s AI solution for real-time spear phishing and cyber fraud defense. Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team. Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.