Email Security Blog

BEC Gift Card Scams Move Online During COVID-19 Pandemic

Patrick Peterson April 6, 2020 BEC, Business Email Compromise

With 60 million corporate employees working remotely due to the Coronavirus outbreak, cybercriminals are switching up their tactics in business email compromise (BEC) scams.

In what has been called the “world’s largest work-from-home experiment,” organizations around the globe are being forced to quickly transition to a remote workforce, ready or not. Cybercriminals have opportunistically adjusted to this new normal by updating phishing lures, malware, and other fraud techniques. BEC crime rings are no different.

Impersonation scams rely on gift cards as a cash-out method. In fact, gift cards are the most popular tool that fraudsters use to advance the scam from email message to fiat currency. All a threat actor needs to do is ask unsuspecting victims to send them a picture of the physical gift cards, which can then be sold for roughly 70% of face value in bitcoin.

This tried and true method is a gateway for laundering money and it isn’t just for BEC gangs, either. The tactic is widely used by state-sponsored threat actors such as Lazarus Group, the North Korean APT group behind Wannacry, to skirt US sanctions. But in the age of shelter-in-place orders and quarantines, this approach won’t cut it anymore.

BEC By Text Message: ‘Can You Run a Quick Errand?’

Before COVID-19, gift card scams were relatively straightforward. BEC actors would impersonate a company’s CEO or another senior executive in email requests asking a targeted employee to purchase physical gift cards.

The reasons given included a party for fellow team members, a vendor who needed to be paid in gift cards, or a bonus for specific staff members for outstanding performance during the past year.

Along the way, the fraudster would invariably ask the employee for their mobile phone number, ostensibly so they could communicate back and forth. By moving the conversation to SMS, scammers are able to bypass email protections and get a photo of the gift cards.

In almost every case, perpetrators would ask the employee to run to a store to purchase between $500 and $1,000 worth of gift cards. And it works. According to our latest email fraud trends report, gift card scams account for 62% of all business losses attributed to BEC attacks. That could represent more than $5.2 billion in business losses worldwide this year.

Faced with a newly remote workforce and shuttered stores due to the current crisis, BEC groups have suddenly needed to find a way to keep these sizable revenue streams flowing. And it looks like they may have found one.

Example: BEC email referencing employees working from home.

Going Remote: Gift Card Laundering When Stores Are Closed

Up until now, victims conned into going to the store and purchasing gift cards were instructed to scratch the back of the cards off and send a photo to the scammers. Needless to say, there are a lot of steps to this scam that could raise suspicions. But now, fraudsters have turned to digital gift cards, which come with a big upside – higher payouts.

Example: BEC email requesting online gift cards.

For in-store gift card purchases, most retailers attempt to curb fraud by limiting the number of cards that can be purchased in one transaction. But online retailers don’t seem to have the same restrictions. One BEC group we track that usually requests checks from BEC victims—a gang we’ve code named Exaggerated Lion—has recently included gift card requests in their repertoire, asking for as much as $15,000 in “surprise” gift cards for employees.

Example: Exaggerated Lion BEC email requesting $15,000 in gift cards.

Plenty of Scams In Store—and Out

BEC scammers haven’t written off real world stores completely, mind you. They just changed their targets. After much of the US went into lockdown, gift card fraudsters shifted away from large retail stores such as Target and Walmart, and toward local pharmacies such as CVS and Walgreens, as well as other businesses deemed “essential.”

Example: BEC email referencing specific “essential” store for a target to buy gift cards.

While we don’t yet have concrete evidence about how these stores come into play, it seems a safe assumption that victims asked to buy gift cards either comply, or are refusing to venture out and are instead looking for safer alternatives to make the purchase. The safest way for the scammers to cash out is through digital gift cards, and they just started doing it.

Trying to track the money chain from these crimes is extremely difficult, if not impossible, due to the lack of a networked gift card tracking system. And with virtually no limits on purchase amounts, this cash-out method is sure to catch on—while losses add up fast.

To learn more about gift card scams and other BEC email attacks, read the Q1 2020 Identity Deception and Fraud Trends Report from Agari.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

August 5, 2020 Michael Paiko

Phishing & BEC Scams Soar 3000%: Agari H2 2020 Email Fraud and Identity Deception Trends Report

Coronavirus-related phishing attacks and business email compromise (BEC) scams skyrocketed 3,000% from mid-March through early…

Agari Blog Image

July 17, 2020 Patrick Peterson

Business Email Compromise: New Shift in BEC Threat Landscape Puts CISOs on Notice

A seismic shift in the email threat landscape has CISOs bracing for sophisticated new forms…

Agari Blog Image

July 7, 2020 Crane Hassold

Cosmic Lynx: A Russian Threat Hits the BEC Scene

“At some point, Russian and Eastern European cybercriminals are going to start thinking to themselves,…

Agari Blog Image

June 30, 2020 Michael Paiko

Agari Summer '20 Release: CISOs Gain Unique Threat Intel to Their Organizations

With business email compromise (BEC) scams up sharply amid the coronavirus pandemic, CISOs have been…

Agari Blog Image

June 22, 2020 Michael Paiko

Forrester: Agari Phishing Defense™ Works a 97% ROI Over Three Years

A new Total Economic Impact (TEI) Study from Forrester finds that Agari Phishing Defense™ (APD)…

mobile image