Today saw the arrival of yet another interesting variant of the gift card phishing campaigns that have grown into a deluge over the past few months (see below). Today's email demonstrates that bad guys are actively adapting and evolving their pitch.
There are couple interesting things going in this new gift card phish:
1. The bad guys work to establish a credible pretext ("incentives" for staff) -- something they've been getting better at recently.
2. They explicitly request confidentiality -- another tactic we've been seeing more of recently.
3. They're getting really greedy -- $4000 total in gift cards, the largest request we've yet seen (most requests in these gift card phishing schemes range from $500-$2000).
But there's something else very significant going on here, however -- something we've not seen before in this kind of phishing scheme.
4. The bad guys incentivize the entire scheme by offering the recipient a bribe ("take one for yourself"), a ploy which, in a way, seeks to turn the email recipient into a co-conspirator.
The bribe is a really smart move. It costs the bad guys nothing (they're spending someone else's money, after all) and provides a strong, material motivation to comply.
Indeed, we began wondering: why haven't the bad guys done this before? If you're attempting to trick people into taking actions that are ultimately against their own interest, it helps to grease a few palms, thus doing something to change that equation.
In fact, the bad guys have done this kind of thing before: in money mule schemes, where the bad guys offer a cut of the money being moved to the mark/victim in order to incentivize participation in the operation.
How many of your users will jump at the chance to pick up a cool $500? Our guess is (unfortunately): more than a few.
I suggest you send the following to your employees right away. You're welcome to copy, paste, and/or edit:
The bad guys are getting creative with hybrid giftcard / CEO Fraud scams, They have mutated into campaigns where they are impersonating an executive and urgently ask for gift cards to be bought for customers, and allowing the employee to take one themselves too. The numbers need to be emailed or texted to "the boss", after they are physically bought at stores. Never comply with request like that and always confirm using a live phone call to make sure this is not a scam. Sometimes it's OK to say "no" to the CEO!
One email from us to you shows if your email server is configured correctly. To enter just go here fill out the form, it's quick, easy and often a shocking discovery.
Let's stay safe out there.
Warm regards,
Stu Sjouwerman
Founder and CEO, KnowBe4, Inc