Beware of corporate e-mail reward card scams, and a new gang of crooks impersonating legal professionals.
Welcome to Cyber Security Today. It is Monday, November the seventh, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
on my last podcast I talked about phone scams designed to trick shoppers. Today’s case is about reward card buying e-mail scams designed for the employees of the firm. They believe they are completing a favor for a boss who asks them to buy a reward-playing card for Amazon, PayPal or a bank card firm. These can be bought in supermarkets, drug stores, malls, they can usually be bought online. The crooks need an unattainable strategy to get the cash. Victims are instructed to send the serial number on the cards to the perpetrator by email or with a photo from their smartphone. The criminal then sells the cardboard numbers on the black market at a low price. Or, if they get Amazon playing cards, the criminal will spend the money on the items and then resell them on a trusted online marketplace. Or they can buy cryptocurrencies.
The rip-off usually begins when an employee receives an e-mail from their manager or boss asking them to spend their own cash shopping for reward cards for an opportunity – Christmas is a common excuse at this time of year. The ‘boss’ wants to present reward cards to employees for a holiday, or as a bonus because the company had a good year, or a valued customer wants to play iTunes reward cards. It can also be a personal request: ‘I would like to get my wife a surprise gift card.’
Sometimes the so-called boss doesn’t initially say what they want. The first message from the boss could have been, ‘Do you have a few minutes?’ If the victim answers definitively, the so-called boss emails again, ‘I have a request….’ , Its purpose is to bind the worker.
Consumers can fall prey to reward card scams. The Better Business Bureau notes crooks claiming to be from the US Internal Revenue Service or Canada Revenue Agency that the victim has an income tax problem that can only be solved by paying with a current card. Or the offender pretends to be a relative or friend who wants instant cash. Or, as I instructed you last week, they may be fake cops or a bank that wants you to buy reward cards to help catch a fraudster.
How quickly do rookies put money in these cards? Researchers at Coffence recently conducted tests Along with the prize cards to be sent to the rogues. However, in one case the reward playing cards were resold and used for purchases within 24 hours. It could also be the actions of crooks, or even innocent people who bought reward cards at a discount to save money. In this case another case someone bought a fake toy and listed it in the market for money in a trusted online marketplace.
There are two ways to prevent this fraud: First, everyone should use multifactor authentication to protect their email from being hacked. Second, pay attention to emails asking you to purchase larger amounts or denominations of reward cards, especially if the ‘boss’ requires you to spend your cash and guarantee to repay you. An important sign it may be a rip-off, if you are requested to ship by e-mail or the serial number is pictured on the back of the playing cards.
Email reward card scams designed for employees fall under a general category called enterprise email compromise scams. These include scams such as requests to pay for fake invoices or switch funds because the buyer changed their checking account. Researchers have discovered unusual security Researchers have named this gang the Crimson Kingsnake for comfort, a new group of some of these scammers. It impersonates real legal professionals, law firms and debt restoration providers, focusing on firms within the US, Europe, the Middle East and Australia. A typical e-mail pretends to be from a lawyer about an alleged overdue fee. If an employee responds, the crooks e-mail them a fake bill. If the worker questions the bill, the gang, pretending to be the government in their agency, sends the worker an e-mail that explains the bill and authorizes the fee. Create fake looking email addresses of real law companies and loan classification companies to convince crooks. This is another example of why employees – especially those within the finance department – need to be taught not to react swiftly to email messages involving money. IT departments want to verify that the company’s domain hasn’t been spoofed, and they need to install efficient anti-phishing software programs.
Follow cybersecurity today on Apple Podcasts, Google Podcasts or add us to your flash briefing in your smart speaker.