The Gift Card Scam is Back!

Posted by debianit On August 22nd, 2022

“You bet! I’ll get those gift cards right away.”

Nick opened his eyes with excitement. It was going to be another great day! He looked at his alarm clock. 6:28 am. Again, he woke up before his alarm went off.

It was Friday morning and he had been in his new role for almost a full week. Nick couldn’t be happier. While not at the top of his class, he was easily amongst the top 5. In just 8 weeks, he would be graduating college with honors.

He had applied only to two companies for his internship and received job offers from both. He picked the smaller of the two firms, smaller environmental engineering where he would get to work more closely with the leadership team to learn directly from some of the best in the industry.

As he sat at his desk just after lunch, the email came in. It came from the President, Fred Wilson. It was short:

“Hey, Nick. Are you busy?”

Nick quickly replied with “Just finishing up some editing. What do you need?”

The reply came back, “I need a favor and it’s urgent. Can you help?”

“Yes of course,” Nick replied.

The next email read, “Good. I’m in an important client meeting right now. I need you to get me some gift cards.”

Nick replied “I can go get them. What kind and how much?”

“I need iTunes cards. 10 cards each with $100. I’ll cut you a cheque to reimburse you when I get back this afternoon.”

Again Nick responded “I’m on it. I’ll put them on my credit card for now.”

“Good. Email me back once you have all the cards.”

Nick was out the door driving to the convenience store to pick up the gift card. The first place would only sell him $400 worth so he ended up having to stop at 2 other stores to get the 10 cards.

As soon as Nick had the 10 cards, he replied to the email “I’ve got the cards. Where do you want me to deliver them?”

“I don’t need them delivered. Just scratch off the back of each card and email me the codes.”

And so, Nick scratched off the silver strip on the back of each card and sent an email with the 10 redemption codes.

Meanwhile back at the office just moments earlier, Fred Wilson had wandered over to Nick’s desk. Noticing that Nick was not there, he asked Dmitri, who sat next to Nick, “Where’d Nick go?”

Dmitri gave a puzzled look as he replied “Umm… he told me that you had sent him out on an urgent errand.”

Fred raised his eyebrows, confused. “Urgent errand? I didn’t send him on any errand.”

After Nick got back to the office, and the dust settled, Nick realized that he had been scammed. He spent $1,000 on his own credit card buying a bunch of gift cards and sending the redemption codes to the scammers who had immediately drained the balances of those cards. Nick lost $1,000 of his own money during his first week of work.

Despite Fred Wilson insisting on helping Nick to cover the amount he was scammed, Nick was too embarrassed and felt too responsible, to accept the offer. It was an very expensive lesson for the intern that first week on the job, and likely one Nick will never forget.

What happened?

This scam is known as a Gift Card Scam and has been around for many years now. There has been a sudden resurgence of these attacks, specifically with attackers targeting new employees and interns.

The attacker typically researches companies, likely on LinkedIn to identify key people such as the President, CEO, CFO, or other high-ranking executive. They then look for someone that may be new to the organization, an assistant, or other employee that they can potentially exploit.

The attacker then figures out the email address of the victim. This is usually done by looking at patterns of known email addresses of users at the target business. They then “spoof” — or pretend to be the high-ranking executive by simply changing the display name in the email they send. For example, the email address might be abc123@gmail.com but they use the full name of the executive. In this case the full display name was “Fred Wilson”.

When the message is received by the victim, it looks like it came from “Fred Wilson” but not from Fred’s legitimate email address. This type of spoofing is also sometimes call “CEO Soofing”. Having tricked the victim into thinking that the email actually came from the real “Fred Wilson”, the attacker proceeds to get the victim to perform a series of tasks, which in this case was to buy a bunch of gift cards and email the redemption codes to the attacker so that the attacker can redeem the funds from the cards.

What could have been done to prevent it?

There are several ways these types of attacks can be mitigated. On the IT infrastructure side of things, many advanced SPAM filters can configured to prevent “CEO Spoofing” attacks. The filter will block any email that is coming from a display name that matches the name of a user within the company. These filters are very effective but are never 100%. The attacker could potentially use a slight misspelling of the name or add an extra character to thwart the filter.

Another way to mitigate this attack is to educate users to take a closer look at the “from” email address of the message. By showing both the display name and the actual email address, Nick would have likely noticed that the email was in fact coming from an address that was not Fred Wilson’s real corporate email address.

Finally, there is no substitute for education and vigilance. By educating employees to be cautious of any email that is asking for anything sensitive and to verify instructions by reaching out directly for confirmation, these types of scams can be avoided.

Story is based on real-life events.
Written by: Vince Fung
(c) 2022 Vince Fung & Expera IT – Unauthorized copying or use of this content is strictly prohibited.

Blogs

The Gift Card Scam is Back!

The Business Leader's Guide to Unleashing the Power of Generative Al

Contact Us

SERVICES

ABOUT EXPERA IT

WHO WE SERVE

OUR TEAM

RESOURCES

CONTACT US

SOCIAL MEDIA