It’s not every day we here at Solutions Review discuss individual attack strains or unique digital threat campaigns unless it has affected millions of people or hit a globally recognized enterprise. However, given our recent report on the uptick of cyber attacks around the holiday period, and with the increase in spear phishing attacks on enterprises overall, we felt this particular attack warranted deeper investigation.
SIEM solution provider Barracuda Networks recently unveiled their spotlight report on a gift card phishing scam that has proven to be remarkably effective on enterprise employees. In this cyber attack, hackers use social engineering to target office managers, executive assistants, and receptionists—those in usual contact with their enterprise’s CEO. The hackers will send a phishing email posing as the CEO, asking the target to purchase digital gift cards and send them in reply.
As part of the gift card phishing scam, the hackers will tell their targets to send them the gift cards quickly. According to the message, the cards are meant to be holiday rewards for the employees—adding a vital sense of urgency to the attack. This is part of the typical intimidation tactics spear phishing attacks tend to use to influence their victims, but redirected in a less obvious manner.
The gift card phishing scam works in part because of this sense of urgency, which catches employees off-balance, but also because of what the malicious email contains. They do not generally carry malicious payloads, does not indicate malicious intent, and only asks for a relatively mundane purchase. Often these are well-researched, so the email does not arouse suspicions, and they often ask for secrecy under the guise of the gift cards being surprise rewards.
In other words, the gift card phishing scam has all the elements of the perfect phishing attack.
Barracuda Networks recommends enterprises deploy email security protocols in order to protect themselves from the gift card phishing scam and other spear phishing campaigns. You should also take efforts to bolster your employees’ phishing knowledge. Your security team should alert employees to this potential attack, and alert them to warning signs of potential threat emails. You may want to offer an analog communications alternative in case your employees need to verify your email correspondences.
Latest posts by Ben Canner (see all)
- The Top Ten Capabilities for AWS SIEM for Enterprises - May 23, 2019
- Forecast: The Gartner 2019 SIEM Magic Quadrant - May 17, 2019
- LogRhythm Releases LogRhythm Cloud—a Cloud-Based SIEM Solution - May 16, 2019