Business email compromise (BEC) is one of the most impactful techniques in the present-day con artists’ toolkit. To execute this type of an attack, cybercrooks hack or spoof an email account of an organization’s senior manager and send fake invoices on behalf of this trusted person to contractors or employees within the same company. The goal is to hoodwink the recipients into wiring money to the criminals.
This vector of cyber fraud has reached tremendous heights over time, eclipsing corporate data breaches and ransomware in terms of the damages. According to the latest Internet Crime Report by the FBI, the reported losses over BEC scams amounted to a whopping $1.77 billion in 2019. For the record, that’s nearly half of last year’s total cybercrime losses.
Gift card frauds on the rise
Amidst this rampant social engineering epidemic, malicious actors are increasingly switching to a new rip-off tactic that might appear marginal at first sight. As opposed to a classic BEC scenario where an impostor requests a wire transfer, the surging trend is to ask for gift cards instead. This model has matured significantly during the past few years. As per the findings of email security provider Agari, it accounted for 65% of all business email compromise scams in Q3 2019.
This variant of the hoax mainly zeroes in on smaller organizations and nonprofits that aren’t very likely to have sophisticated anti-phishing mechanisms in place. The usual targets are town schools, healthcare facilities, churches, and charities. The logic behind this stratagem is to impersonate a would-be victim’s boss or colleague and request a certain number of gift cards, stating that it’s supposed to be a surprise for a long-term supplier, an end-of-year bonus for personnel, or similar.
The crooks typically ask for Apple iTunes, Google Play, Amazon, or Steam Wallet gift cards. In some cases, they’ll request cards issued by stores such as Walmart, Walgreens, Target, or CVS. The self-proclaimed manager instructs the target to scratch out the back of each card and to send out the codes. If those are digital cards, he’ll say he needs the screenshots of the codes.
To set this swindle in motion, scammers may mimic a staff member’s email address by adding a few hardly conspicuous characters to it. Email spoofing is a more effective technique that plays into the attackers’ hands, making the sender’s address look identical to the legitimate one. Sometimes the criminals are able to infect a company’s servers with malware that steals email credentials.
Why gift cards?
From an attacker’s perspective, going the wire transfer route seems to make more sense because the requested amount can reach tens of thousands of dollars. In a gift card BEC scam, the sum usually ranges between $1,000 and $2,000. However, the latter technique provides fraudsters with several game-changing advantages.
- More victims – more money. The scope of targets isn’t limited to finance or HR employees who can initiate wire transfers. A much larger number of potential victims means that the crooks can rake in more money even despite a relatively low success rate.
- Low chance or exposure. Victims are unlikely to tell their co-workers about the fraudulent request until they realize that they have been scammed. The reason is simple: if you are going to make a gift, you keep it secret.
- Anonymity. Gift cards are nearly impossible to track down. Furthermore, these purchase transactions are irreversible, for the most part. It means the malefactors can resell them or use them to buy goods without worrying about being caught.
- Quick cash. The criminals don’t have to rely on middlemen services to receive fraudulent gains. This isn’t the case with wire transfers, where so-called “money mules” are recruited to launder ill-gotten funds through their bank accounts. Law enforcement agencies and financial institutions have become quite proficient in identifying and blocking these mule accounts. Gift card scammers skip this stage altogether.
Aside from the above benefits, there are several downsides of BEC frauds that piggyback on Apple iTunes and other types of gift cards. One of them is that crooks lose quite a bit of the cards’ value when exchanging them for cryptocurrency as part of the laundering process. Another drawback is that it’s difficult to defraud victims of more than a few thousand dollars’ worth of cards in a single attack.
The cash-out process
Once gift cards have been illegally obtained from an unsuspecting victim, the next thing on BEC scammers’ checklist is to convert them into fiat money. Researchers from the above-mentioned Agari firm provide insights into this workflow based on the activity of a high-profile Nigerian cybercriminal group codenamed Scarlet Widow.
According to the analysts’ observations, the monetization chain revolves around a peer-to-peer marketplace called Paxful. This is a US-based entity that supports numerous different payment channels for purchasing cryptocurrency, gift cards being among these methods. It’s noteworthy that the exchange rate for iTunes gift cards on Paxful fluctuates between 40 to 80 cents for $1 worth of Bitcoin, so the felons lose a good deal of the original value.
After the transaction is completed, the resulting cryptocurrency is deposited into a Paxful wallet. From there, it is forwarded to another exchange service called Remitano, which allows users to trade Bitcoin for regular currencies. Having negotiated the price with a buyer, the fraudsters get the funds via a bank transfer. From that moment on, they can safely withdraw the money from their bank account.
Seasoned BEC scammers can play this trick super-fast. In one episode, the Scarlet Widow crew reportedly duped an administrator at an Australian university into sending them $1,800 worth of iTunes gift cards. Agari researchers claim it took the con artists a little more than two hours to go all the way through the cash-out chain.
How to avoid being scammed?
The easiest and most effective way to steer clear of these scams is to confirm every request to purchase a gift card with the colleague who supposedly sent it. A quick phone call or an extra email to the contact in your address book will suffice you to check whether or not the “do me a favor” thing is real.
Also, watch out for a few telltale signs of such an attack. The impostor will usually emphasize he is caught up in meetings all day and won’t be available on the phone. Also, the perpetrator will typically claim the issue is urgent in order to pressure the target. An additional precaution is to scrutinize the sender’s email address for inaccuracies if you suspect the request might be fishy.
Although these symptoms are easy to identify, gift card scams continue to skyrocket and this probably won’t change anytime soon. Under the circumstances, the importance of social engineering awareness training within organizations is hard to overestimate.