The use of gift cards has steadily increased for over the last several years due to their convenience. The total projected sales for gift cards was $160 billion last year. And while they make it easier to give someone a gift they won’t have to return, they’re also nearly untraceable, which makes them a popular target for scammers.
The number of legitimate gift card purchases wasn’t the only thing to increase last year, the Federal Trade Commission also saw a 95% surge of payments last year to criminals in the form of gift and reload cards.
What does this mean for your office?
There’s a common gift card scam that has been making its way around offices for a few years, and it’s especially prevalent around the holidays, when it’s not unusual for companies to purchase gift cards for clients or as part of a charity drive.
The scam usually targets a lower level employee or a new hire, who may be easier to fool and who will be the most likely to act without thinking in order to please their boss or simply not get into trouble. Companies that don’t perform regular IT security training for employees are particularly susceptible.
How the Office Gift Card Scam Works
The targeted employee may receive a text or an email that appears to be from their boss or another upper level position within their office. It says something along the lines of:
I’m about to walk into a large client meeting with Acme Electronics and just realized that we completely dropped the ball on getting holiday gift cards for our high-level customers. Please purchase 15 Amazon gift cards in the amount of $50 each and send me the codes ASAP! I need to have these in the next 30 minutes.
Since you don’t have a company card, please use your personal card to purchase them, and as soon as I’m back at the office this afternoon, I’ll reimburse you.
I’ll be in meetings for the next 1 to 2 hours and will be unreachable by phone or text. Just reply to this email with the numbers within 30 minutes. It’s urgent! I won’t forget how you helped us out in a jam. Thanks!”
The email is typically crafted in a way that it will look legitimate at first glance. It will address the recipient by name, have the appropriate signature, and the client mentioned may actually be one of the company’s real clients.
So, what happens is the employee rushes to purchase the gift cards as the email requests. The 30-minute clock is looming large, so they log in to Amazon’s site without thinking… they don’t want to let their boss down and also want to be that person that helps out in a jam, just like the sender said.
They email the gift card codes. Then later when they mention the reimbursement, their boss has no idea what they’re talking about and says they never sent the email in the first place. The employee was scammed and of course, the gift cards are already redeemed.
But the email looked so real, and used real information like names, titles, client name.
Here’s how this looks from the scammer’s point of view, which will explain how the email looked so real:
- Look up employee and position lists on LinkedIn to find targets and high-level positions
- Research company’s website to find out who some of their clients are
- Spoof an email from a higher-level position and target to a lower level position
- Use urgency (30 minutes) and an assumptive close “I won’t forget how you helped us out in a jam” to improve chances the employee will take the bait
- Get gift card numbers when employee emails them and sell them immediately on the Dark Web for bitcoin
- Transfer the bitcoin to dollars (pay day!)
Avoid Being Fooled by the Gift Card Scam
If you take a step back and think before acting, you can often keep yourself from making a costly mistake and being fooled by this scam (as well as others).
Here are some tips to improve your cybersecurity acumen.
Verify Requests Before Acting
When receiving a financial request by email or text message, it’s always a good idea to verify this by speaking with the person directly before you do anything. Scammers purposely use the “I’m going to be unreachable” ploy in their messages to keep you from doing just that. Don’t fall for it!
Question Unusually Urgent Requests
Urgency is a common tactic used by scammers to get you to act before you have time to think and evaluate the request properly. Take a step back when you receive an unusually urgent request, especially when it’s financial or asking for a password.
Don’t Be Fooled by Personalization
Social media and corporate websites are a bonanza of personal and company information for cybercriminals. They do their homework because personalization and sprinkling in real facts gives their scams a higher success rate.
Scammers can easily find your name, your boss’s name and your positions online in any number of ways. Companies also often display on their site the logos or names of their biggest clients and note other things that can be used, like charities they support.
Avoid Falling for Flattery
Another tactic that can be used is flattery and the assumptive close, i.e. “Thanks so much for doing this, you’re always so efficient, I knew I could trust you to get it done.”
This is again a tactic used by scammers that will make you want to take action to live up to the flattery being given you in the email.
Knowledge is Power (and Security)
Offering regular cybersecurity training for your staff goes a long way towards thwarting gift card scams and multiple other types of attacks. Genuine Technology Group offers comprehensive IT security training that can give your team the knowledge they need to protect themselves and your company from scammers.
Schedule a staff IT security training today by calling us at 971-288-0880 or using our webform.