By Ronnie Tokazowski
Gift card scams are one type of Business Email Compromise attacks that frequently gets disregarded or glossed over due to complexities of tracing the fraud and the lack of visibility into how the money is used. Individuals inside of an organization don’t want to come forward and claim they were a victim, law enforcement doesn’t have these relatively smaller dollar amount cases of fraud, and the reality is there is virtually zero insight or tracing of gift cards when it comes to how or where they have been used. It is a crime that can fly under the radar or is not focused on, even though everyone knows it happens, but no one can do anything about it.
This is why we are going to cover one of the latest trends in gift card scams … using cancer patients as excuses on why you should send gift cards to strangers. To note, the samples included in this write up are ones that Cofense has seen and identified in actual enterprise environments after they were missed by existing standard email security controls. These are not hypothetical, but actual emails that made it to an employee’s mailbox after bypassing Secure Email Gateways (SEGs).
In today’s gift card attack, the scammers started with a phishing email just like any other gift card BEC. “Just wondering if i can get a quick favour from you.”
Image 1. Cofense response
Next, we received a response from the actor that they needed us to purchase an Apple gift card for a friend’s daughter who is suffering with liver cancer. To play up on the emotions, the actor tells us that they promised the card for her birthday but are having trouble getting the card for her.
Image 2. Lure asking for gift cards
We responded accordingly and said that yes, we could purchase the gift card for the daughter and asked what stores we could use to make the purchase. Purchasing gift cards is something that most people don’t normally do, which often leads to more questions from suspicious employees. While attackers are happy to walk potential victims through the steps, it’s easier to provide the stores up front with where they can purchase the cards. In this attack, Morrisons, Waitrose, Sainsbury’s, Argos, ASDA, and John Lewis were provided, most of which are grocery stores located in the United Kingdom. This helps provide more evidence that their initial target (or who they think they’re targeting) is more than likely in the UK.
Image 3. Listing of stores provided by attacker
We told the actor that we would be willing to run to the store, and they looked forward to hearing from us. Once we were “at the store,” we clarified what type of card they needed and let us know that they needed an Apple gift card totaling £200 GBP in £100 denominations. Once acquired, we were instructed to scratch off the back of the card to reveal the pin and take a snapshot and send it via email.
Image 4. Confirmation of what cards are needed
At this point, we stopped conversing with the scammer. This is a highly typical sequence for how gift card scams work. Please stay vigilant and be on the lookout for these types of BEC attacks.
For more insights on BEC attacks and gift card scams, here are more resources: