PaymentsJournal
SUBSCRIBE
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
No Result
View All Result

Cyber Criminals Targeting Holiday Spirit with New Gift Card Scam

Asaf Cidon by Asaf Cidon
December 14, 2018
in Featured Content, Fraud Risk and Analytics, Industry Opinions, Prepaid
0
Fraud Fast Track: Tips to Avoid Payments Fraud and Social Engineering Scams

Fraud Fast Track: Tips to Avoid Payments Fraud and Social Engineering Scams

17
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

Quick. You just got an urgent email from the president of your company asking you to purchase gift cards for everyone in the office. You need to respond quickly for further instructions and keep it quiet because it’s a surprise. What do you do? How would a more junior member of your team respond?

Just in time for the holiday season, cyber criminals are putting a new twist on a phishing attack with a large-scale impersonation campaign. The attack focuses on tricking office managers, executive assistants, and receptionists into sending gift cards to the attackers, claiming it’s a reward for employees, maybe even a holiday surprise for the whole office. Given how common it is for companies to give gift cards to employees this time of year, the specific request is interesting and demonstrates how targeted these types of attacks are getting.

Social engineering has always been a powerful weapon for cyber criminals, allowing them to use context and timing to talk unsuspecting victims into doing what the attacker wants. This tactic is especially powerful when the attacker also impersonates a high-ranking executive. Often targeting a low or mid-level employee, the attacker can trick the victim into taking a certain action, simply by sending a well-timed email with highly relevant details and context, without including any malicious links or attachments that would get picked up by email security.

Researchers have seen an increase in social engineering attacks where the goal is to get the intended victim to send gift cards to the attacker. Cyber criminals know that many organizations are asking employees such as office managers, executive assistants, and receptionist to buy gift cards for everyone in the office, now that the holidays are coming up soon. Using this common practice to their advantage, attackers are targeting people in these roles, often impersonating the CEO or president of the company. This puts added pressure on the employee to act on the request quickly and make the transaction happen.

Why these attacks are succeeding

Researchers have seen four common tactics used in these gift card phishing attacks, which are helping the cyber criminals succeed.

The first tactic is impersonating a CEO or someone else in a position of authority. As I mentioned, this tactic puts pressure on the employee to respond quickly without thinking to closely about the request and how it would usually be handled. Because, of course, the employee will want to keep the CEO happy and make a good impression.

The second tactic is asking for secrecy. It might make sense at first that someone would ask you to keep a request like this confidential. After all, the gift cards are likely intended to be a reward for the staff or a holiday surprise. But it also prevents the target from talking to someone who might raise questions about the request and seemingly helps justify sidestepping any usual protocols that may be in place for a purchase of this kind.

The third tactic that attackers are using in this campaign is incorporating relevant details into the emails. This means attackers are doing their research on the company and the people they’re targeting, either leveraging publicly available information or compromising an employee’s email account and watching for useful information.

For example, one email that researchers found was sent to a multi-national business, and it implied that they would need to buy gift cards in different currencies, which fit with how the organization operates. Another sample asked specifically for Google Play gift cards, and it’s possible the team had already discussed purchasing those particular gift cards.

The fourth common tactic is creating a sense of urgency. Many of the emails use language that encourages the employee to respond as soon as possible, e.g. “Do get back to me” or “How soon can you get this done?” The attackers even included an email signature advertising that the email was sent from a mobile device. This implies urgency and suggests that whoever the attackers are impersonating is out of the office and can’t be reached to confirm the request.

How to protect your organization

This type of attack, which relies on social engineering to succeed, is difficult for traditional email security to detect because the emails don’t contain a malicious link or suspicious attachment. AI-based email security is better at detecting these types of phishing attacks because those solutions learn the specific context of the organization and can catch anomalies and red flags, such as the urgent call to action and the request for a financial transaction. 

Another important tool your organization can put in place to help avoid falling victim to this type of attack is providing regular security awareness training for employees. Regular training and phishing simulations can help employees learn how to spot attacks like this. It’s also smart to establish procedures on how to verify financial requests that come in through email before those transactions are completed. If you already have them in place, a providing refresher on them could help avoid having an employee, whether they’re an office manager or part of the finance team, avoid making an expensive error. 

Author Bio:

Asaf Cidon is vice president of content security services at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company’s AI solution for real-time spear phishing and cyber fraud defense. Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team. Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.

Tags: Fraud Risk and AnalyticsGift CardPrepaid
17
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

    Analyst Coverage, Payments Data, and News Delivered Daily

    Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Javelin Strategy & Research analysts and industry professionals.

    Must Reads

    debit cards, Gen Z

    Debit Builds Consumer Loyalty Among Gen Z and Other Top Demographics

    June 7, 2023
    check fraud

    Check Fraud: The Threat is Real

    June 6, 2023
    smart banking

    Smart(er) Banking Requires More Than Just Tech

    June 5, 2023
    Google Wallet Expands Features

    Google Wallet Continues to Bet on Digital with Expanded Features

    June 2, 2023
    digital value

    How Embracing Digital Value Can Help Solve the B2C Payments Conundrum

    June 1, 2023
    instant payments, real-time payments, RTP

    Banks Developing Instant Payments Products in the U.S. Should Focus on Billers to Generate New Revenue Streams  

    May 31, 2023
    Digital Wallet Use Delivers on Convenience and Security

    Digital Wallet Use Delivers on Convenience and Security

    May 30, 2023
    5 Ways to Protect Your Financial Institution from a Cyberattack

    5 Ways to Protect Your Financial Institution from a Cyberattack

    May 26, 2023

    Linkedin-in Twitter

    Advertise With Us | About Us | Terms of Use | Privacy Policy | Subscribe
    ©2023 PaymentsJournal.com

    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    Menu
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    • Industry Opinions
    • Recent News
    • Resources
    Menu
    • Industry Opinions
    • Recent News
    • Resources
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Industry Opinions
    • Faster Payments
    • News
    • Jobs
    • Events
    No Result
    View All Result