Gift Card Fraud

The cybersecurity world is continually inundated with the new strains of ransomware taking down large and small businesses alike. Unfortunately, this has brought attention away from other cyber-related attacks, like Gift Card scams. The US Department of Justice announced this week the indictment of four gift card scammers and alleges these four ended up with more than 5000 fraudulently obtained cards to use for themselves.

What is a Gift Card Scam?

Gift Card Scams are where cybercriminals redeem gift cards that you (or your business) paid for, either because you were convinced that those cards were designated for something else, or because the crooks got temporary access to one of your online accounts that allowed them to buy gift cards on your dollar. These scams don’t typically require large payments as they would in Ransomware attacks, but can still add up to a notable amount. One may assume Gift Cards won’t get the criminals very far, but Gift Cards typically allow up to $200 added to each card. With that said, the crooks scammed 5,000 cards, which in theory could’ve added up to $1 Million. It’s a large number that can certainly affect businesses, especially smaller to mid-size companies. 

How Does This Happen?

Cyber crooks frequently use social engineering tactics to get this type of job done. They will break into company networks and exploit computer system access to buy cards, they will impersonate the CEO of a company and ask Human Resources to buy gift cards for bonuses, they will exploit trust in online data sites. Below we give three typical examples.

Network Exploit Gift Card Hack

In the holiday season of 2020, Sophos’ Rapid Response Team came across a group of cybercriminals deploying an attack of this nature. Hackers gained access to a company’s network and accessed each end-user’s device to see if they could gain access to an already logged-in email (or e-commerce) account. They were able to purchase a number of gift cards in this way before the alarm was sounded and Sophos’ response team was called in.

Romance Scammers

Another example where gift cards are secured by hackers is Romance scammers, who like to arrange for gift card “payments”, luring their victims who have often been tricked into thinking they’ve found a friend or future spouse through a fake dating profile and sending them money; sometimes through gift cards.

Hey, are you busy?

Oftentimes, hackers will impersonate public figures for a company by emailing human resources pretending to be the CEO. In this scam, the hacker sends an innocuous “Hey, are you busy” email to human resources. If they get a response from HR back, then they engage with a  request for Gift Cards. This type of scam was investigated by CyberHoot directly in a $25,000 gift card scam, literally hundreds of $100 gift cards.

What To Do?

Hackers know their only weapon is social engineering. Once you’re aware of this, you can watch for impersonation attacks, romance scams, and computer and network breach events. Never use gift cards as a payment option for non-personal matters. Following this advice will protect you from the various Gift Card scams out there.

Other Cybersecurity Best Practices 

There are other actions you should take to protect your business from other attacks and harm including:

• Adopt a password manager for better personal/work password hygiene
• Require two-factor authentication on any SaaS solution or critical accounts
• Require 14+ character Passwords in your Governance Policies
• Train employees to spot and avoid email-based phishing attacks
• Check that employees can spot and avoid phishing emails by testing them
• Backup data using the 3-2-1 method
• Incorporate the Principle of Least Privilege
• Perform a risk assessment every two to three years