Business email compromise (BEC) is one of the most impactful techniques in the present-day con artists’ toolkit.
To execute this type of attack, cybercrooks hack or spoof an email account of an organization’s senior manager and send fake invoices on behalf of this trusted person to contractors or employees within the same company. The goal is to hoodwink the recipients into wiring money to the criminals.
This vector of cyber fraud has reached tremendous heights over time, eclipsing corporate data breaches and ransomware in damages.
According to the latest Internet Crime Report by the FBI, the reported losses over BEC scams amounted to $1.77 billion in 2019. For the record, that’s nearly half of last year’s total cybercrime losses.
Table of Contents
Gift Card Frauds On The Rise
Amidst this rampant social engineering epidemic, malicious actors are increasingly switching to a new rip-off tactic that might appear marginal at first sight. Unlike a classic BEC scenario where an impostor requests a wire transfer, the surging trend is to ask for gift cards instead.
This model has matured significantly during the past few years. As per the findings of email security provider Agari, it accounted for 65% of all business email compromise scams in Q3 2019.
This variant of the hoax mainly zeroes in on smaller organizations and nonprofits that aren’t very likely to have sophisticated anti-phishing mechanisms in place. The usual targets are town schools, healthcare facilities, churches, and charities.
The logic behind this stratagem is to impersonate a would-be victim’s boss or colleague and request a certain number of gift cards, stating that it’s supposed to be a surprise for a long-term supplier, an end-of-year bonus for personnel, or similar.
The crooks typically ask for Apple iTunes, Google Play, Amazon, or Steam Wallet gift cards. Sometimes, they request cards from stores like Walmart, Walgreens, Target, or CVS.
The self-proclaimed manager instructs the target to scratch out each card’s back and send out the codes. If those are digital cards, he’ll say he needs the screenshots of the codes.
To set this swindle in motion, scammers may mimic a staff member’s email address by adding a few hardly conspicuous characters. Email spoofing is a more effective technique that plays into the attackers’ hands, making the sender’s address look identical to the legitimate one. Sometimes, the criminals can infect a company’s servers with malware that steals email credentials.
Why Business Email Compromise Gift Cards?
Going the wire transfer route seems to make more sense from an attacker’s perspective because the requested amount can reach tens of thousands of dollars. In a gift card BEC scam, the sum usually ranges between $1,000 and $2,000.
However, the latter technique provides fraudsters with several game-changing advantages.
- More victims – more money. The scope of targets isn’t limited to finance or HR employees who can initiate wire transfers. A much larger number of potential victims means that the crooks can rake in more money despite a relatively low success rate.
- There is a low chance of exposure. Victims are unlikely to tell their co-workers about the fraudulent request until they realize they have been scammed. The reason is simple: if you are going to make a gift, you keep it secret.
- Anonymity. Gift cards are nearly impossible to track down. Furthermore, these purchase transactions are irreversible, for the most part. It means the malefactors can resell or use them to buy goods without worrying about being caught.
- Quick cash. The criminals don’t have to rely on intermediary services to receive fraudulent gains. This isn’t the case with wire transfers, where so-called “money mules” are recruited to launder ill-gotten funds through their bank accounts. Law enforcement agencies and financial institutions have become proficient in identifying and blocking these mule accounts. Gift card scammers skip this stage altogether.
Aside from the above benefits, there are several downsides of BEC frauds that piggyback on Apple iTunes and other types of gift cards. One of them is that crooks lose much of the card’s value when exchanging them for cryptocurrency as part of the laundering process.
Another drawback is that it’s challenging to defraud victims of more than a few thousand dollars worth of cards in a single attack.
The Cash-out Process
Once gift cards have been illegally obtained from an unsuspecting victim, the next thing on BEC scammers’ checklist is to convert them into fiat money. Researchers from the Agari mentioned above firm provide insights into this workflow based on the activity of a high-profile Nigerian cybercriminal group codenamed Scarlet Widow.
According to the analysts’ observations, the monetization chain revolves around a peer-to-peer marketplace called Paxful.
This US-based entity supports numerous payment channels for purchasing cryptocurrency, gift cards being among these methods. Notably, the exchange rate for iTunes gift cards on Paxful fluctuates between 40 and 80 cents for $1 worth of Bitcoin, so the felons lose a good deal of the original value.
After completing the transaction, the resulting cryptocurrency is deposited into a Paxful wallet. From there, it is forwarded to another exchange service called Remitano, which allows users to trade Bitcoin for regular currencies. Having negotiated the price with a buyer, the fraudsters get the funds via a bank transfer. From that moment on, they can safely withdraw the money from their bank account.
Seasoned business email compromise scammers can play this trick super-fast. In one episode, the Scarlet Widow crew reportedly duped an administrator at an Australian university into sending them $1,800 worth of iTunes gift cards. Agari researchers claim it took the con artists more than two hours to go through the cash-out chain.
How To Avoid Being Scammed?
The easiest and most effective way to steer clear of these scams is to confirm every request to purchase a gift card with the colleague who supposedly sent it. A quick phone call or an extra email to the contact in your address book will suffice to check whether the “do me a favour” thing is real.
Also, watch out for a few telltale signs of such an attack. The impostor will usually emphasize he is caught up in meetings all day and won’t be available on the phone. Also, the perpetrator will typically claim the issue is urgent to pressure the target. Another precaution is scrutinizing the sender’s email address for inaccuracies if you suspect the request might be fishy.
Although these symptoms are easy to identify, gift card scams continue to skyrocket, and this probably won’t change anytime soon. Under the circumstances, the importance of social engineering awareness training within organizations is hard to overestimate.
RELATED POSTS
- 8 Popular Types Of Cybercrimes In The 21st Century
- Exclusive Interview with SpyCloud’s CEO and Co-Founder Ted Ross
- What is ATM Skimming?
- Scattered Canary: How A Nigerian Fraud Ring Hijacked Washington Unemployment System
- 5 Business Ideas You Can Build Without Code
- 7 Business Credit Card Tips For Small Businesses
- How To Remove Apps On Android And iOS Devices
About the Author:
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs Privacy-PC.com and MacSecurity.net projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.