Attackers Impersonate CEOs to Scam Employees into Sending Gift Cards for the Holidays

Gift_CardA crafty mix of social engineering, great timing, and context act as the perfect ingredients to trick unwitting users into buying gift cards and placing them into the hands of the attacker.

At the end of the year, nearly every company is thinking about holiday bonuses, corporate gifts, and holiday greeting cards for customers. So, it’s not unusual to think that the head of an organization might want to give out some gift cards to select employees at this time of year.

This all-too-common scenario is being taken advantage of by cybercriminals, according to the latest threat spotlight from security company Barracuda. Using simple impersonation tactics, the bad guys pose as the CEO asking an office manager, executive assistant, or receptionist to discreetly purchase some gift cards that will be used as gifts to employees.

Using well-researched personnel details, these cybercriminals are able to identify an appropriate individual to target, send them an email from the CEO’s supposed personal account, implying a sense of urgency to move the victim to act.

What makes these attacks so successful boils down to a few factors:

  1. They are filled with contextual goodness – these attacks get so many details right: the CEO’s name, the recipient selected, the time of year, and the reason for the gift card purchase. In an employee’s mind, this is all very plausible.
  2. There’s no malware – this is a malware-less attack, with no links or attachments for an AV or endpoint protection solution to spot.
  3. They leverage the power of the CEO – this is important. When the CEO says jump, generally people say how high? The fact that the request is coming from the CEO is usually sufficient motivation to make the recipient comply.

I can think of only two real ways to stop attacks like this:

  • Process – anytime a request is made to purchase something over a certain amount via email, a phone call should follow to verify the request.
  • Education – users that continually go through Security Awareness Training should spot this a mile away. The email details and the abnormality of the request are red flags to a user with an elevated security mindset. Users undergoing Security Awareness Training are educated on the scams run, tactics used, what to look for, and, generally, to maintain a state of vigilance when it comes to their interaction with email and the web.

This impersonation attack is simple but effective. Protect your organization by empowering your users to be a line of defense in your security strategy before an attack like this hits.

Can hackers spoof an email address of your own domain?

DSTAre you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby.

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.

Find out now if your domain can be spoofed. The Domain Spoof Test (DST) is a one-time free service. Run this test so you can address any mail server configuration issues that are found.

Try To Spoof Me!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews