Threat Spotlight: New spear phishing attack gift card scam

When sending social engineering-based attacks, attackers have always used context and timing to their advantage. Combined with the psychological advantage of impersonating someone in a position of authority, the attackers can lure the target, often a low or mid-level employee, to take an action desired by the attacker by simply sending a well-timed email that has highly relevant contextual information —without requiring any type of malicious payload. 

A great example of this approach is a recent large-scale impersonation campaign involving gift cards, which is the subject of this month’s Threat Spotlight.

Highlighted Threat:

Gift card spear phishing – Attackers use social engineering to trick office managers, executive assistants, and receptionists into sending gift cards to the attackers, claiming it’s for employee rewards, perhaps as a holiday surprise. The specific ask for gift cards this time of year is also interesting, and another example of just how targeted these attacks are.

The Details:

Since early October, the Barracuda team has seen an uptick in social engineering attacks where the goal is to get the target to send gift cards to the attacker. Attackers know that many companies are asking their office managers, executive assistants, and receptionists to purchase gift cards for employees in anticipation of the holiday season. Therefore, they are specifically targeting these roles, often impersonating the CEO of organization. Of course, the employee will be under pressure to quickly execute the request of the CEO, which adds extra pressure to the transaction.

The Tactics: 

Let's take a look at some of the specific tactics the attackers are using.



Tactic 1: CEO impersonation

In this first anonymized example, the attacker impersonates the company's CEO and asks specifically for some Google Play gift cards. It is possible that this company was already planning to purchase such gift cards.



Tactic 2: Request for secrecy

In the second example, the attacker asks the recipient to keep it confidential (because the gift cards are meant to be a reward). Given the timing is so close to the holidays, the uptick in seeing an ask specifically for gift cards is interesting.



Tactic 3: Researching relevant details

In the third example, the target company is a multi-national organization, it appears the attacker knows that they will require gift cards in different currencies.

Tactic 4: Implied urgency

In all of the examples, the attacker uses language that implies urgency ("Do get back to me," "How soon can you get this done"). The attacker even includes a signature pointing out that the email was sent from a mobile device. This conveys a sense of urgency and implies that the impersonated employee is out of the office, so there is no way to contact them in person to verify the request.

Why the attacks work 

In all of these attacks, the emails were sent from free personal email services with a relatively high reputation. In addition, they do not contain any type of malicious payload, such as links or attachments. Instead the emails rely solely on social engineering and impersonation to trick their targets. These types of attacks are very hard for traditional email filters to pick up because they are targeted, have a high reputation, and do not contain any obvious malicious signals.

How to protect yourself

The most effective way to stop these types of attacks is using an AI-based email security solution, which understands the specific context of the organization and can use it to detect anomalies. For example, in the emails we shared above, an AI solution can recognize that the attackers are not using email addresses normally used by the CEO. In addition, the AI can pick up on the urgent call to action and the request for a financial transaction, which would raise a red flag.

Regular security awareness training and phishing simulations for employees can also help teach them how to spot this type of attack. And, if you don’t already have procedures in place spelling out how to confirm any financial requests that come in via email, whether they’re for wire transfers or gift card purchases, now is a good time to create those guidelines. It could help employees avoid making a costly mistake.

Barracuda Resources

• Get AI-based protection against spear phishing with Barracuda Sentinel


• Take control of security awareness training with Barracuda PhishLine