Avoid becoming a victim of this gift card scam.
With the rise of Business Email Compromise (BEC) scams, businesses continue to be targeted by fraudsters with the intent of accessing an organization’s funds using trickery and deceit through deceptive email exchanges. While money transfer scams come in all shapes and sizes, scammers have a new twist involving the use of prepaid gift cards.
In this scam, a thief poses as a high-level executive or employee at their target’s place of work. Through a compromised or phony email account, the scammer asks their target to quickly purchase a prepaid gift card at any nearby store. After their target has made the purchase, they are instructed to email the scammer information about the card - including the card number, expiration date, and CVV2/security code. Unlike payment fraud, which requires money movement and the need to communicate with employees in the accounts payable or HR departments, this creative threat is advantageous because the fraudster can target any employee within an organization.
Fraudsters may provide the pretext that the prepaid gift cards will be donated/gifted to a client or charity once they received the card information. These organizations are bogus as the scammer will keep the gift card information for themselves and may find a new target to solicit, ask their current target to purchase another card, or cease communication all together.
Here are several red flags that you may be the target of a gift card scam:
- The email in question has an email address from a domain you do not recognize. It may also appear to look like your company’s domain but contain minor spelling differences (such as john.doe@exannple.xyz instead of john.doe@example.xyz)
- The email contains grammatical errors.
- The person who is claiming to be an employee at your organization has a different writing style than what you’re used to seeing from that employee.
- There are vague or no details about what the funds will be used for.
- There is a sense of urgency around the request.
- The email mentions a negative or tragic outcome for you or your company if the funds aren’t delivered in a certain time frame.
- The email requires you to complete actions outside your normal working hours or job functions.
- A direct request for confirmation is required when the transaction is complete.
- The requester insists on receiving the card information via email.
- The person requesting the funds asks for your secrecy or mentions that the request has already been approved by your organization’s leaders.
If you believe you have been targeted by a scam email, here are a few tips to protect yourself:
- Talk with a manager about the legitimacy of the email.
- Call or meet with the person requesting the funds to verify the email’s legitimacy.
- Avoid posting financial and personnel information to social media or corporate websites.
- Have your IT department register all website domains that closely resemble your organization’s main web address.
- Invest in spam detection rules for your email platform that flag domains that look like your organization.
- Conduct social engineering testing, both by phone and email, to test employees’ awareness of security threats.
- Train employees to recognize phishing emails and how to identify potential threats in emails and instant messages.
Although email scams are strategic and convincing, they can be overcome with a vigilant and perceptive eye developed through your organization’s IT security training. It is imperative that internet safety best practices are shared throughout your organization and that employees are kept informed on the latest trends in payment fraud.