PhotoPhishing Claus is coming to town! With the Christmas holiday quickly approaching, the digital bandits are out in force and looking for some way to swindle you out of your stocking.

A new report from Barracuda Networks puts the world on high alert in regards to a new "spear phishing attack" gift card scam -- one that’s particularly important to consumers who are frequent social media users.

"When sending social engineering-based attacks, attackers have always used context and timing to their advantage," wrote Barracuda’s Asaf Cidon. And the holidays are a perfect setting for that style of encroachment.

Here’s how the scam works

The new riff attackers are using is a large-scale impersonation campaign involving gift cards.

"Attackers use social engineering to trick office managers, executive assistants, and receptionists into sending gift cards to the attackers, claiming it’s for employee rewards, perhaps as a holiday surprise," according to Cidon.

There are several tactics the phishers use. One is the "CEO impersonation" where the purported CEO of the company sends out an email asking specifically for Google Play gift cards. The ruse is that the employee may assume that their company was already planning to purchase such gift cards.

Another scheme is built around secrecy. In this scenario, the cyber attacker asks the recipient to keep the gift card purchase hush-hush because the gift cards are supposedly meant to be a reward for employees.

The third example is directed at multinational companies where the attacker plays up the angle of gift cards in different currencies.

The fourth trick attackers play is a heightened sense of urgency ("Do get back to me," "How soon can you get this done") with the phishing email going as far as incorporating a "signature" implying that the email was sent from a mobile phone.

In the phisher’s way of thinking, this approach "conveys a sense of urgency and implies that the impersonated employee is out of the office, so there is no way to contact them in person to verify the request," according to the Barracuda report.

Why the attacks work

One would think there’s not too many sucker punches left, but cyber criminals have little else to do than find new ways around email filters and spybot detectors. Just ask Wells Fargo.

The thread that runs true through all of the new round of attacks is that the emails appear to come from a free, personal email service -- one with a decent reputation -- and, unlike the old days of email scams, these messages are free of any malicious payload like a link or an attachment.

The angle the scammers play in these emails is a reliance on social engineering and impersonation to dupe their targets. "These types of attacks are very hard for traditional email filters to pick up because they are targeted, have a high reputation, and do not contain any obvious malicious signals," the report said.

So, what to do?

As you see, all the ruses are based on context and timing. With the proximity of the holidays being so close, the employee receiving the email might not view the request as being out of sorts and plays right into the attacker’s hands.

Use caution on any email that asks for gift cards or that has a sense of urgency, particularly through the holidays. Barracuda goes as far as suggesting that companies require a confirmation of any financial requests that come in via email, whether they’re for wire transfers or gift card purchases.

Is there software you should buy?

While security tools to protect fraud and identity theft have value, AI-based (Artificial Intelligence) email security solutions -- one that "understands the specific context of the organization and can use it to detect anomalies" -- are becoming more prevalent and worth consideration for any business that relies heavily on email.

In the plots above, it’s probable that an AI solution would discern the attackers aren’t using an email address typically used by, say, the company CEO. Google has rolled out some AI integration for its Gmail, but for the time-being, Gmail’s AI is outbound-centered, not in-bound, and does not appear to be the solution for a situation like this.


Share your Comments