How to Stop Gift Card Scams

Posted by Catherine Young

Why does the Gift Card Scam slip through most anti-phishing software solutions?

Because most anti-phishing software only analyzes attachments or scans for suspicious links in an email. Gift Card Scam emails are dangerous because they do not have attachments or even links to click — they simply look like emails from someone important in an organization asking for help, but are actually from a cybercriminal. 

The "From:" line of an email can display any name, so a hacker can write a CEO's name but actually send the email from their email address. One hacker did this in an email sent to an INKY customer, putting a CEO's name in the "From:" line and sent this to an employee:

"There is something I need you to do for me. Let me know if you are available. I am going into a meeting with limited access to phone calls, just reply to my email and I will get back to you." 

Gift Card Scam emails start like this, where the leader of a company asks for a favor and also mentions that he or she is too busy to talk on the phone. The scammer expects the employee to be so flattered that the boss wants their help that they will quickly respond. 

How do I detect gift card scams in email?

Fortunately, our customer has INKY. INKY’s true machine learning develops behavior profiles and social graphs that identify suspicious behavior or identities. When INKY sees an email from a sender that doesn’t match a known profile, it sends an impersonation warning. Here, INKY displayed a prominent red "Danger!" banner at the top of the email with these warnings:

 gift-card-first-message-details

Our customer knew this was a fraudulent email but decided to play along with this hacker. While we never recommend replying to phishing emails, we found this amusing:

gift-card-conversation

As you can see, the scammer played the part of a busy but appreciative executive. He tells the employee "you will keep it secret from others" since these gift cards will be a surprise for deserving employees. To allay any suspicions this request might cause, he adds a reminder to "attach a picture of the receipt" for this $2,000 purchase to be expensed. The scammer is likely hoping to resell these gift card numbers and PINs on the dark web. 

Protecting employees from email scams.

Thanks to INKY, this company was protected from the Gift Card Scam. If an email had a malicious attachment or dangerous link, INKY would have detected those as well. This is why we say that INKY is the smartest investment you can make in the security of your organization.

Want to see a live demo of INKY? Let's schedule a time to do a quick walk-through and talk about your email security issues.

 

 

 

 

 

Topics: spear phishing, email fraud