MOREnet Blogs

Scenario: Donna is the supervisor of XYZ.org. Sam is an upper management employee.
********************************************************************

From:  Donna Boss <DonnaBoss@scammer.com>
To: Sam Scammed <SamScammed@XYZ.org>
Subject: Quick Purchase Needed

Sam, can you do me a favor?

Donna Boss
Supervisor, XYZ.org

*******************************************************************

From: Sam Scammed <SamScammed@XYZ.org>
To: Donna Boss <DonnaBoss@scammer.com>
Subject: Quick Purchase Needed

Sure. What do you need?

Sam Scammed
Manager, LAN Services

******************************************************************

From:  Donna Boss <DonnaBoss@scammer.com>
To: Sam Scammed <SamScammed@XYZ.org>
Subject: Quick Purchase Needed

I need you to purchase some gift cards for me for potential prizes. I need these right away. Can you get 10 $50 Visa gift cards?

Donna Boss
Supervisor, XYZ.org

******************************************************************

From: Sam Scammed <SamScammed@XYZ.org>
To: Donna Boss <DonnaBoss@scammer.com>
Subject: Quick Purchase Needed

Sure. Do you want me to bring them to your office?

Sam Scammed
Manager, LAN Services

*****************************************************************

From:  Donna Boss <DonnaBoss@scammer.com>
To: Sam Scammed <SamScammed@XYZ.org>
Subject: Quick Purchase Needed

No. I’ll pick them up from you. Just send me the gift cards numbers and PINs ASAP so that I can inventory the purchases.

Donna Boss
Supervisor, XYZ.org

*****************************************************************

Look phishy? Sam’s supervisor’s request appears legitimate. The email has her name on it. There are no misspellings or grammatical errors. So what should Sam do?

A: Purchase the cards and send the information to his boss as soon as possible

B: Call his boss to verify the information

C: Purchase the cards and hand deliver them to his boss.

The correct answer is B. Any time a request for payment is made that appears to sound a bit off it would require a personal interaction. Purchases and payments that require wire transfers or gift card purchases are highly suspicious. Sam should pick up the phone or walk to Donna’s office to verify the request.

Another part of this spear phishing scam, that the crook is not aware of, is that Sam does not have any purchasing power. He will need to go to the Finance Department in order to get the purchase approved. This process may require the signature of Donna. If Sam were to take the action to purchase the cards it is likely that the scam would have failed at that point.

Although Donna’s name and title appear in the body of the message and in the From: field, the email address does not match the organization’s domain.

Scammers play the spray and pray game. They send hundreds or thousands of these types of phishes out, hoping to get a handful to reply and fall victim.

Educating end users to the dangers of phishing can greatly reduce the risk of organizations and personnel from becoming a victim. Teach them how to spot and report phishing emails and what to do if they should fall victim.

  • Be wary of emails requesting wire transfers or gift cards for payment
  • Don’t open emails from unknown senders
  • Report suspected phishing emails to the appropriate authority
  • Personally verify any requests requiring money or personal information

Your ongoing security awareness program should include phishing simulations to better condition your users to the possible dangers of a compromise. Phishing is the #1 cause of a compromise.

Resources

Paying Scammers with Gift Cards

How Gift Card Scams are Used To Finance Fraud

 

Categories: Cyber Security

Leave a Reply