The Newest Business Email Compromise Request: Gift Cards
Quick Answer
Business email compromise has shifted from wire transfer fraud to gift card requests. The APWG Phishing Activity Trends Report found gift cards were the requested payout in 65 percent of BEC attacks, because they're more anonymous than wires, harder to reverse, and don't require an intermediary mule account. The dollar per incident is lower than a wire BEC, but volume more than makes up for it. Most-requested cards: Google Play (41 percent), Steam Wallet (12 percent), Amazon (9 percent), Apple iTunes (8 percent). The standard pretext is an executive-impersonation email asking the recipient to buy cards urgently, scratch off the codes, and email the digits back. Defenses: written purchase policies that include gift cards in the same out-of-band verification rule as wire transfers, plus cloud email security with link click protection and impersonation detection at the gateway.
The purpose of Business Email Compromise (BEC), a type of phishing attack, is to target employees with access to company finances and trick them into sending money to the hacker. In the past this almost always meant a wire transfer.
From the hackers standpoint, there are two problems with wire transfers. First, they’re hard to keep anonymous. The hacker has to send some information about where to transfer the money. Second, companies are getting wise to this and changing policies to ensure all wire transfer requests are verified through a second channel.
As companies wise up, hackers change their tactics. Now, according to the latest Phishing Activity Trends Report, the newest version of BEC seeks payment in the form of gift cards. According to the report, “Gift cards were requested in 65% of business email compromise (BEC) attacks.”
The report continued, “because they are more anonymous, less reversible, and do not require the use of a mule intermediary, gift cards have quickly emerged as the most popular cash out option for scammers over the past year.”
The good news, if there is any, is that “the amount of money that an attacker can make in each gift card BEC attack is significantly less than with a wire transfer.”
Which gift cards were the most requested? “By far, the most common gift card requested by BEC scammers was for Google Play, Google’s online app store (41%). That was followed by gaming site Steam Wallet (12%), Amazon (9%), and Apple iTunes with (8%).”
If someone sends you an email requesting that you buy them a gift card, you now know there’s a good chance it’s a scam. It’s especially worrisome if they tell you to buy the card, scratch off the back and email them the 16 digits.
There’s no doubt companies will respond by amending their purchase policies to include gift cards, eventually. In the meantime, another way to protect your company against BEC is with cloud-based email security service with real-time link click protection. You can set up our service in 10 minutes, comes with 24/7 live customer support and costs much, much less than a gift card.
General Manager
General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.
Secure your email infrastructure
Protect, authenticate, and deliver. Contact our team to find the right solution.