Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    The Hidden Cost of "Free" Gifts: How Survey Scams Are Evolving to Steal Financial Data

    KnowBe4 Threat Lab | Aug 22, 2025

    KnowBe4 Threat Lab Logo_300dpiYou've probably seen them: enticing online offers for free products from brands you trust, like a Yeti beach chair from Costco or an emergency car kit from AAA.

    All you have to do is fill out a quick survey and pay a small "shipping fee" of a couple of dollars. But what seems like a harmless transaction is actually a sophisticated scam with a high price tag.

    The KnowBe4 Threat Lab team has been tracking a phishing campaign where scammers use these fake surveys to steal financial data. While the initial loss might seem trivial (just a few dollars for shipping) the reality is far more costly.

    The Initial Survey Phishing Email 

    Screenshot of a survey scam phishing email impersonating AAA, viewed in the PhishER portal

    Above is an example of a survey scam that impersonates AAA, offering the recipient a ‘free’ car emergency kit reward. All they have to do is click the link in the email which takes them to a fake website where they are required to fill out a short survey, pay a small shipping fee and receive their ‘reward’. 

    Below are two more examples from United Healthcare and Costco. The United Healthcare example is a screenshot of the webpage the recipient would be taken too if they were to click the link in an initial phishing email. 

    Screenshot of the phishing survey website that impersonates United Healthcare, offering a Medicare Kit. 

    Screenshot of a phishing email that impersonated Costco, offering a Yeti Beach Chair gift. 

    In our follow up blog "The Technical Sophistication Behind the 'Free' Gift Scam", we will discuss the advanced technical elements that allow such a seemingly simple phishing email through legacy detection technologies such as secure email gateways (SEGs). 

    From a Small Fee to Significant Fraud

    When you enter your credit card information for that small fee, you are not just losing a couple of dollars. Instead, you are giving criminals direct access to your payment details, name, address and other personal information. This data can then be used in several ways:

    • Unauthorized charges: Scammers can make fraudulent charges on your card, often for much larger amounts than the original "shipping fee". You might see a recurring subscription charge you never authorized or a major purchase you did not make.
    • Identity theft: The personal information you provide, combined with the payment data, can be used to open new lines of credit in your name, access your accounts and engage in other forms of identity theft.
    • Selling your data: Your information is a commodity on the dark web. It can be bundled and sold to other criminals, leading to a cascade of future attacks and fraud.

    The Human Motivations Behind the Scam

    These attacks work because they're not just technically clever, they prey on human nature. The small shipping fee is a key part of the deception. It's a classic "foot-in-the-door" technique. The amount is so insignificant that our usual defenses against financial fraud don't activate. We think, "It's only two dollars; what's the harm?" This small commitment makes us more likely to complete the transaction and provide our sensitive information.

    The surveys themselves are designed to keep you engaged using several tricks:

    • Urgency and scarcity: Countdown timers and messages like "Only 3 items remaining!" create a sense of urgency, pressuring you to act before you have time to think.
    • Trust and authority: When scammers use well-known brand names like UnitedHealthcare, they're exploiting the authority bias heuristic. This is our tendency to automatically trust and follow the advice of authority figures or brands we perceive as trustworthy, without critically evaluating their claims. 
    • Progress and investment: A progress bar makes you feel like you've already invested time in the survey, making you more likely to finish it to see the "reward".

    Protecting Yourself 

    You can protect yourself by being skeptical of any offer that seems too good to be true, even from a brand you trust. Legitimate promotions rarely ask for credit card details for a truly free item. Instead of clicking links in emails, go directly to the company's official website to verify the offer. And remember, the real cost of a "free" gift can be far greater than the price of shipping.

    For a deeper dive into how these criminals are bypassing security tools, read our technical breakdown in the blog, "The Technical Sophistication Behind the 'Free' Gift Scam".

     

    Return To KnowBe4 Security Blog

    Comprehensive Anti-Phishing Guide

    Spear phishing emails remain a top attack vector for cybercriminals, yet most companies still don’t have an effective strategy to stop them. Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will cover techniques you can implement now to minimize cybersecurity risk due to phishing and social engineering attacks.

    Comprehensive-Anti-Phishing-Guide-Thumbnail

    Strategies include:

    • Developing a comprehensive, defense-in-depth plan
    • Technical controls all organizations should consider
    • Gotchas to watch out for with cybersecurity insurance
    • Benefits of implementing new-school security awareness training
    • Best practices for creating and implementing security policies

    Get the E-Book now!

    Download Now!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://info.knowbe4.com/comprehensive-anti-phishing-guide

    Topics: Social Engineering, Human Risk Management, KnowBe4 Threat Lab

    KnowBe4 Threat Lab

    ABOUT KNOWBE4 THREAT LAB

    KnowBe4 Threat Lab is a research and analysis endeavor by seasoned cybersecurity professionals that discovers and investigates the latest phishing techniques and develops strategies to preemptively combat these threats. KnowBe4 Threat Lab specializes in researching and mitigating email threats and phishing attacks, using a combination of expert analysis and crowdsourced intelligence.

    Read more from KnowBe4 »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Gartner Magic Quadrant
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest insights, trends and security news. Subscribe to CyberheistNews.