Phishing for Gift Cards
Yesterday, the email shown below was sent to Ashton’s “security alert” distribution list. The topic is the recent spate of email spoofs asking that an employee send iTunes gift cards to a company exec, so they can be given to clients. In the 24 hours since the email was sent, we’ve had a flood of responses, showing us just how prevalent this scam is at the moment.
Responses came from a handful of people who were not aware of this scam, as well as plenty of people who had received a similar email, and were aware of its existence. We’ve also had numerous responses (the total distribution list numbers 300) from clients and prospects alike, whose employees either sent iTunes gift cards to a scammer, or were in the process of completing the transaction, when somebody on the management team realized what was going on and stopped them.
So, if we take a sample size of 300 and figure that 15 have responded that they or someone in their organization has been targeted with this type of email, we know that equals 5%. Of the 15 who responded, 10 (3.3%) had an employee send gift cards, or start the process. If you’re a scammer, 3.3% is a pretty good success rate when you’re sending out hundreds of thousands of similar emails. At 100,000 with a a 3.3% success rate, you’re looking at 3,330 people who send you gift cards ranging in value from $200 to $2,000. At an average of $500, you’re bringing in over $1,500,000. Not a bad day’s work!
This is just another reminder to think twice before you act, and to not be afraid to ask questions when you think something seems phishy.
(Email sent to securty alert distribution list)
Please feel free to share this with your employees as well as your partners/vendors/clients. In the past week, we’ve seen two clients hit with an email spoof, purportedly from a high ranking executive within their company (one President, one VP). In both cases, an employee received an email similar to the one shown below (names replaced with “President” and “Employee”);
From: President <presidentoffice459 at inbox.lv>
Sent: Friday, August 31, 2018 3:07:37 PM
To: Employee
Subject: Request
I’ll need you to run a task as soon as possible, needs a prompt response.
Kindly let me know if you’re available at the moment.
P.S: I’m busy currently busy at the moment and can’t talk but will look forward to your reply.
Thanks
In both cases, the employee responded to the sender explaining that they were available and happy to help out. The “President” then responded with the following;
From: President <presidentoffice459 at inbox.lv>
Sent: Friday, August 31, 2018 3:14:48 PM
To: Employee
Subject: RE: Request
I need you to get some gift cards which are to be sent out in about 40mins. How soon can you arrange them so I can tell you what product and
denomination would be needed?
In one case, the employee realized (after the initial response) that something was amiss. In the other case, however, the employee spent the afternoon running around Cleveland purchasing $2,000 worth of iTunes gift cards. The “President” explained that he didn’t have time to wait for the actual gift cards, and asked the employee to scratch off the activation codes, then email the entire list of codes to him. Which the employee did. And there went $2,000, out the door.
A couple of tips to share with your team if they ever receive anything of this sort;
- While the email sender’s name was “President”, the address (presidentoffice459 at inbox.lv) should’ve been an immediate tip off.
- Any time a sender says “I’m in a meeting, please don’t call. Respond via email…” the alarm should immediately sound.
If you have questions about this or any emails that your team might receive, please don’t hesitate to call the Ashton help desk at 216 539-3686