RE: Beware Gift Card Scams
January 14, 2019
Recently, there has been a rise in gift card scams, which is a specific type of spear phishing. In general, spear phishing scams appear to come from a trusted source (spoofing) and target an individual or organization. With gift card scams, the goal is to engage people in dialogue, gain a victim’s trust, claim a time-sensitive emergency, and then dupe people into buying cards and emailing or texting them the redemption codes.
Unfortunately, there is very little that can be done to stop people from employing these tactics. Free accounts for spoofing are available from a wide variety of sources, social media is a great tool for mining data about individuals, and websites provide enough information about an organization to target specific departments.
The best available defense is to arm oneself with knowledge. For starters, you might take this time to review methods for recognizing common phishing attempts and apply those concepts to future communication at work and at home.
The following example is one of several provided to IITS by employees at LBCC. It shows a common method for furthering the conversation and applying pressure.
Email 1, spear phisher asks:
Email 2, spear phisher states:
I’m in a meeting right now and that’s why I’m contacting you through here. I should have call you, but phone is not allowed to be use during the meeting. I don’t know when the meeting will be rounding up, And I want you to help me out on something very important right away.
Email 3, spear phisher states:
I need you to help me get an iTunes gifts for card from the store, I will REIMBURSE you back when I get to the office. I need to send it to someone and it is very important cause I’m still at the meeting and I need to get it sent as soon as Possible.
In each case, the email came from a spoofed account, used an accurate signature line, and was aimed at employees that work in the same department or a closely related one.
Many sites, such as Google, offer methods for troubleshooting spoofing emails including a specific means to report it. For example, if you find that someone is using a fake Google account in an attempt to appear as though they are you, you are encouraged to report the problem. Other account and email providers have their own methods to report phishing and/or spoofing.
As the number of new phishing scams grows, we must be increasingly mindful and diligent in our handling of email. For a sense of scale, and a bit of insight, have a quick look at some of the top email scams of 2018.