COMMENTARY: The holiday season has moved into full swing, and so have social engineering scams. With security teams stretched thin and racing to wrap up big projects before a well-earned break, it’s not unusual for employee vigilance to fall by the wayside. That, combined with the year-end spike in corporate gifting and employee appreciation efforts, makes December the perfect time for cybercriminals to strike with a popular attack: the
CEO gift card scam.
Making matters much worse, threat actors have armed themselves with new tactics for slipping past traditional security tools and deceiving well-meaning employees. Security leaders who underestimate this rapidly-advancing threat and fail to strategize accordingly could end the year with a massive headache.
Over the past decade, threat actors have increasingly turned to
business email compromise (BEC) attacks, impersonating trusted entities and convincing targets to take a seemingly routine action, like updating payment account details. A CEO gift card scam is a sub-type of BEC attack in which a cybercriminal impersonates a CEO or other high-level authority figure and manipulates an employee into purchasing several gift cards — often under the guise of using them for employee gifts or sales incentives.
As with all BEC attacks, gift card fraudsters rely on
social engineering techniques — like creating a sense of urgency or wielding authority — rather than brute force tactics or email attachments infected with malware. For example, they might tell the employee they need the gift card details within a couple of hours, pressuring the target to take action before they can second-guess the request.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Because this scam begins as a text-only message and often originates from a legitimate domain, it’s less likely to tip off legacy products like secure email gateways (SEGs) than an email with a suspicious link or attached file. And while the scam usually starts via email, some attackers eventually move the conversation to SMS or even a phone call to further evade detection.
How gift card scams evolved
Despite increased focus on security awareness efforts that educate employees on identifying gift card scams and other common email threats, these attacks are becoming more sophisticated and nearly impossible to spot.
For example, instead of using dubious-looking email addresses, cybercriminals are increasingly using spoof tactics to mimic known display names, or
using free webmail services like Gmail to create usernames with an impersonated executive’s name. In some cases, threat actors use lookalike domains or compromised email accounts, which are even less likely to arouse suspicion — especially for busy employees with overflowing inboxes.
And while many companies use email threat detection tools programmed to recognize common indicators of compromise like frequently used text strings, cybercriminals have advanced their approaches. To bypass SEGs, some attackers use
foreign character substitution, which replaces letters with lookalike characters, like replacing a capital “I” with an exclamation point.
Generative AI also came into play over the last year, with many threat actors abandoning templated campaigns for weaponized generative AI to quickly create unique, professional-looking, error-free email messages that closely mimic conversations by the person they’re impersonating — thus increasing their ability to evade detection software.
Going hand in hand with this has been the pervasiveness of social media accounts. Today’s cybercriminals have so many online sources they can use to research the executives and employees they are impersonating and targeting, helping them understand these relationship to ensure their email blends seamlessly into everyday communications. This way, a request to purchase several gift cards as client gifts or year-end bonuses won’t seem like it’s come from left field.
How to defend against gift card scams
The recent explosion in malicious generative AI and cybercrime-as-a-service tools has made it easier than ever for criminals to wage attacks. Because attacks like CEO gift card scams no longer require advanced technical expertise, they’ll likely become more frequent — especially at the end of the year when employees are most distracted.
While traditional security tools are still effective in detecting less sophisticated threats, like mass phishing campaigns, mitigating advanced attacks requires a more complex strategy. In addition to keeping employees educated on emerging attack types and cybersecurity trends – and how to spot them – it’s also vital to adopt advanced detection technology that prevents scams from reaching employee inboxes in the first place.
As we move further into the holiday season — traditionally one of the most active times for cybercriminals — it’s more important than ever for security leaders to strengthen their organization’s defenses. It will take a multi-pronged approach to protect against sophisticated email attacks today and into the new year.
Mike Britton, chief information officer, Abnormal SecuritySC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
