Scam Of The Week: CEO Fraud bad guys are now bribing your users

scam_of_the_week-2Today saw the arrival of yet another interesting variant of the gift card phishing campaigns that have grown into a deluge over the past few months (see below). Today's email demonstrates that bad guys are actively adapting and evolving their pitch.

There are couple interesting things going in this new gift card phish:

1. The bad guys work to establish a credible pretext ("incentives" for staff) -- something they've been getting better at recently.

2. They explicitly request confidentiality -- another tactic we've been seeing more of recently.

3. They're getting really greedy -- $4000 total in gift cards, the largest request we've yet seen (most requests in these gift card phishing schemes range from $500-$2000).

But there's something else very significant going on here, however -- something we've not seen before in this kind of phishing scheme.


4. The bad guys incentivize the entire scheme by offering the recipient a bribe ("take one for yourself"), a ploy which, in a way, seeks to turn the email recipient into a co-conspirator.

The bribe is a really smart move. It costs the bad guys nothing (they're spending someone else's money, after all) and provides a strong, material motivation to comply.

Indeed, we began wondering: why haven't the bad guys done this before? If you're attempting to trick people into taking actions that are ultimately against their own interest, it helps to grease a few palms, thus doing something to change that equation.

In fact, the bad guys have done this kind of thing before: in money mule schemes, where the bad guys offer a cut of the money being moved to the mark/victim in order to incentivize participation in the operation.

How many of your users will jump at the chance to pick up a cool $500? Our guess is (unfortunately): more than a few.

I suggest you send the following to your employees right away. You're welcome to copy, paste, and/or edit:

The bad guys are getting creative with hybrid giftcard  / CEO Fraud scams, They have mutated into campaigns where they are impersonating an executive and urgently ask for gift cards to be bought for customers, and allowing the employee to take one themselves too. The numbers need to be emailed or texted to "the boss", after they are physically bought at stores. Never comply with request like that and always confirm using a live phone call to make sure this is not a scam. Sometimes it's OK to say "no" to the CEO!
Can Your Domain Be Spoofed? 
Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a "CEO fraud" spear phishing attack on your organization.
KnowBe4 can help you find out if this is the case with our free Domain Spoof Test

One email from us to you shows if your email server is configured correctly. To enter just go here fill out the form, it's quick, easy and often a shocking discovery. 

Let's stay safe out there.

Warm regards,

Stu Sjouwerman

Founder and CEO, KnowBe4, Inc



Topics: Phishing, CEO Fraud

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews