Beware of business email gift card scams, and a new gang of crooks is impersonating lawyers.
Welcome to Cyber Security Today. It’s Monday, November 7th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
On my last podcast I talked about telephone scams aimed at consumers. Today’s topic is gift card purchasing email scams aimed at company employees. They think they’re fulfilling a favour for a boss who asks them to buy gift cards for Amazon, PayPal or a credit card company. These can be bought in supermarkets, drug stores, malls, and they can also be bought online. What crooks want is an untraceable way to get money. Victims are told to send the serial number on the cards to the crook, either by email or with photos from their smartphones. The crook then re-sells the card numbers on the black market at a discounted price. Or, if they get Amazon cards, the crook will spend the funds on goods and re-sell then on a legitimate online market. Or they may buy cryptocurrency.
Typically the scam starts with an employee getting an email from their manager or boss asking them to spend their own money buying gift cards for an event — around this time of year Christmas is a common excuse. The ‘boss’ wants to give gift cards to staff for the holiday, or as a bonus because the company had a good year, or a valued client needs iTunes gift cards. It may be a personal request: ‘I want to get my wife a surprise gift card.’
Sometimes the so-called boss doesn’t initially say what they want. The first message from the boss may say, ‘Do you have a few minutes?’ If the victim replies yes, the so-called boss emails back, ‘I have a request….’ . The goal is to get the employee hooked.
Consumers can also be victims of gift card scams. The Better Business Bureau notes crooks have pretended to be from the U.S. Internal Revenue Service or the Canada Revenue Agency claiming the victim has an income tax problem that can only be solved through paying with a gift card. Or the crook pretends to be a relative or friend that urgently needs money. Or, as I told you last week, they can pretend to be the police or a bank wanting you to buy gift cards to help track down a fraudster.
How fast do crooks cash in these cards? Researchers at Cofence recently did tests with traceable gift cards sent to crooks. In all but one case the gift cards were re-sold and used for purchases within 24 hours. These may be actions by crooks, or by innocent people who bought the gift card at a discount to save money. In another case in this test someone bought a counterfeit toy and listed it for sale on a legitimate online marketplace to cash in.
There are two ways to stop this scam: First, everyone should use multifactor authentication to prevent their email from being hacked. Second, beware of emails asking you to buy large volumes or denominations of gift cards, especially if the ‘boss’ wants to you spend your money and promises to repay you. A key sign this is a scam is if you’re asked to send by email or photo the serial numbers on the back of the cards.
Email gift card scams aimed at employees come under a general category called business email compromise scams. These include scams like requests to pay phony invoices or to transfer funds because a customer has supposedly change their bank account. Researchers at Abnormal Security have discovered a new group of crooks doing these types of scams For convenience the researchers call this gang Crimson Kingsnake. It impersonates real lawyers, law firms and debt recovery services, targeting companies in the U.S., Europe, the Middle East and Australia. A typical email pretends to be from a lawyer about an alleged overdue payment. If an employee responds, the crooks email them a fake invoice. If the employee questions the invoice, the gang sends an email to the employee pretending to be an executive at their firm who explains the invoice and authorizes payment. To be convincing the crooks create fake look-alike email addresses of real law firms and debt collection agencies. It’s another example of why employees — especially those in the finance department — need to be taught to not react quickly to email messages involving money. IT departments need to make sure corporate domains aren’t been spoofed, and they should install effective anti-phishing software.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.