Gift cards new vector in CEO fraud

January 29 saw the arrival of yet another interesting variant of the gift card phishing campaigns that have become more common this year (see below). Today’s email demonstrates that bad guys are actively adapting and evolving their pitch into CEO fraud.

There are couple interesting things going in this new gift card phish:

  • The bad guys work to establish a credible pretext (“incentives” for staff) — something they’ve been getting better at recently.
  • They explicitly request confidentiality — another tactic we’ve been seeing more of recently.
  • They’re getting really greedy — $4000 total in gift cards, the largest request we’ve yet seen (most requests in these gift card phishing schemes range from $500-$2000).
  • But there’s something else very significant going on here, however — something we’ve not seen before in this kind of phishing scheme.CEO fraus
  • The bad guys incentivize the entire scheme by offering the recipient a bribe (“take one for yourself”), a ploy which, in a way, seeks to turn the email recipient into a co-conspirator.

Bribes work

The bribe is a really smart move. It costs the bad guys nothing (they’re spending someone else’s money, after all) and provides a strong, material motivation to comply.

Indeed, we began wondering: why haven’t the bad guys done this before? If you’re attempting to trick people into taking actions that are ultimately against their own interest, it helps to grease a few palms, thus doing something to change that equation.

In fact, the bad guys have done this kind of thing before: in money mule schemes, where the bad guys offer a cut of the money being moved to the mark/victim in order to incentivize participation in the operation.

How many of your users will jump at the chance to pick up a cool $500? Our guess is (unfortunately): more than a few.

What you can do

I suggest you send the following to your employees right away. You’re welcome to copy, paste, and/or edit:

The bad guys are getting creative with hybrid giftcard  / CEO Fraud scams, They have mutated into campaigns where they are impersonating an executive and urgently ask for gift cards to be bought for customers, and allowing the employee to take one themselves too. The numbers need to be emailed or texted to “the boss”, after they are physically bought at stores. Never comply with request like that and always confirm using a live phone call to make sure this is not a scam. Sometimes it’s OK to say “no” to the CEO!

Can Your Domain Be Spoofed?

Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a “CEO fraud” spear phishing attack on your organization. KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. One email from us to you shows if your email server is configured correctly. To enter just go here fill out the form, it’s quick, easy and often a shocking discovery. https://www.knowbe4.com/domain-spoof-test/

Cyber Safety Net is a KnowBe4 partner. Reposted with permission from https://blog.knowbe4.com/bad-guys-now-bribing-users. Cyber Safety Net – Keeping you safe online. See https://cybersafetynet.net/cyber-security-awareness-training/ to train and strengthen your human firewall. See https://youtu.be/UFpFesrcnvY and https://www.knowbe4.com/security-awareness-training-features/ to learn more.

Tags: