Researchers found a 4,671 percent increase in gift card-related email attacks over the course of 2018.

By Robert Holmes

Over the next month many small businesses will be purchasing gift cards to give to their employees, clients, and partners to thank them for their contribution over the past year. Unfortunately, cybercriminals are channeling the Grinch and looking to lure unsuspecting small businesses into buying gift cards for fraudulent purposes. Below are three ways you can stop this threat before it hits your bottom-line.

Cybercriminals often understand the intrinsic nature of business more than anyone else because their success rate depends on it. In October 2018, the FBI issued an alert detailing a substantial increase in business email compromise (BEC) attacks that have lead victims to purchase over $1,000,000 in gift cards in the last 18 months. Notably, Proofpoint cybersecurity researchers found a 4,671 percent increase in gift card-related email attacks over the course of 2018. And of the organizations that received BEC emails in Q3, 15.6 percent alone were targeted with gift card-themed fraudulent messages.

This shift in the threat landscape is not a surprising one. Today, cybercriminals are leveraging social engineering tactics to exploit people, rather than infrastructure, and deploy damaging and costly attacks across email, cloud apps, and social channels. This gift card-focused scheme is just another way for malicious actors to impersonate a senior executive over email to incite immediate action by a lower level employee.

Three Ways to Stop the Grinch from Succeeding

In this attack, a cybercriminal will spoof the email identity of a CEO (e.g. using a Gmail account and editing the display name to match the individual’s name) and send an email to an employee requesting the purchase of several gift cards for a work-related function or as a present for a special occasion. Because the fake email appears to be from the CEO, employees are more likely to act quickly and not take the time to verify the sender. Sadly, once the cards are purchased, tracking/recovering the funds is incredibly difficult.

Given the success rate and low cost of executing email fraud attacks, cybercriminals have only just begun to scratch the surface of the damage that these attacks can inflict upon an organization. According to the FBI, BEC attacks have resulted in more than $12.5 billion in losses worldwide and target organizations of all sizes with email fraud attempts. Our research has found no correlation between the size of the company and the number of email fraud messages directed at them—everyone is a potential victim.

However, in our observation of gift card-related BEC attacks, we’ve found that cybercriminals are targeting small organizations who, unlike bigger businesses, typically do not have policies, processes, and controls established around the purchase of employee incentives and gifts. A lack of such controls in smaller companies makes them more vulnerable to this type of scam.

As a best practice, below are three recommendations to help organizations adopt a people-centric approach to security, which is necessary for small businesses to protect how people work today:

  • Establish a multi-layered cybersecurity approach by investing in airtight technology and employee security awareness training. Small businesses need an email security solution that can dynamically identify email fraud attacks as many messages do not include malware and bypass legacy security technology.
  • Educate your employees so they understand the value of the information they process and how to identify and report email fraud attempts.
  • Develop a corporate policy that requires employees to verify via phone or in-person all emails, even from top levels of management, that request high value purchases to be made.

Robert Holmes is the VP of Email Security, Proofpoint.

Grinch stock photo by tanpanamanoob/Shutterstock