CEO Fraud By Gift Card?

Your Boss emails and asks you to buy some gift cards and email him the codes from the back of the card.  You would do it, right? 

A crafty mix of social engineering, great timing, and context act as the perfect ingredients to trick unwitting users into buying gift cards by utilizing CEO Fraud and placing them into the hands of the attacker.

At the end of the year, nearly every company is thinking about holiday bonuses, corporate gifts, and holiday greeting cards for customers. So, it’s not unusual to think that the head of an organization might want to give out some gift cards to select employees at this time of year.

This all-too-common scenario is being taken advantage of by cyber criminals, according to the latest threat spotlight from security company Barracuda. Using simple impersonation tactics, the bad guys pose as the CEO asking an office manager, executive assistant, or receptionist to discreetly purchase some gift cards that will be used as gifts to employees.

Using well-researched personnel details, these cyber criminals are able to identify an appropriate individual to target, send them an email from the CEO’s supposed personal account, implying a sense of urgency to move the victim to act.

What makes these attacks so successful boils down to a few factors:

  1. They are filled with contextual goodness – these attacks get so many details right: the CEO’s name, the recipient selected, the time of year, and the reason for the gift card purchase. In an employee’s mind, this is all very plausible.
  2. There’s no malware – this is a malware-less attack, with no links or attachments for an AV or endpoint protection solution to spot.
  3. They leverage the power of the CEO – this is important. When the CEO says jump, generally people say how high? The fact that the request is coming from the CEO is usually sufficient motivation to make the recipient comply.

There are really only two ways to stop attacks like this:

    • Process – anytime a request is made to purchase something over a certain amount via email, a phone call should follow to verify the request.
    • Education – users that continually go through Security Awareness Training should spot this a mile away. The email details and the abnormality of the request are red flags to a user with an elevated security mindset. Users undergoing Security Awareness Training are educated on the scams run, tactics used, what to look for, and, generally, to maintain a state of vigilance when it comes to their interaction with email and the web.