Here’s how it starts: with a well-meaning heart and a text or email. Here’s how it ends: you have your money stolen. And in the middle is the classic gift card swindle.
The gift card scam is an oldie but a goodie. Well, a goodie if you are a cybercriminal. Not so goodie for the victim. It’s been around a while, and you’ve likely heard of some form of it. But the scam is so successful that cybercriminals continue to use it.
Google “gift card scam.” Go ahead – do it. There are myriads upon myriads of returns for this scheme. Often, the target is a church or a non-profit organization – a group typically involved regularly with helping people, and who often entertain requests for financial aid. However, this is not always the case – forms of this fraud pop up around various kinds of business and industry.
The play is this: first, the cybercriminal gains access to, say, a church directory with emails and phone numbers, or to a database of contributors to a non-profit. Alternatively, they might simply glean email addresses publicly available from a church or company website and initially target a smaller group of people.
In either case, the cybercriminal crafts an email or text to his unwitting new audience. Now, keep in mind that email scammers used to be easier to identify by their clearly terrible grammar. Now, however, with AI text generators, cybercriminals from anywhere in the world with no real English skills to speak of can craft professional-sounding emails without much effort.
The cybercriminal uses a copycat email that is very close to the real email of some trusted person in the organization – a pastor, administrative assistant, or non-profit director. The text of the request is simple: some emergency or opportunity has come up, and the “pastor” or “director” needs YOU (the church member or non-profit staff member) to purchase gift cards and send him or her the gift card data.
Since most people aren’t suspicious of what appears to be a trusted source, and since the email may even copycat similar formats, logos, and layouts to the real sender, the audience falls for it. Note that these are not stupid “suckers” – these are simply people ready to help a person they trust.
Again, while these specific attacks are often used against churches and other non-profits, similar schemes might target specific relationships in an organization – say, a boss requesting something similar of an administrative assistant, or a supervisor requesting something of an employee. The tactics may be slightly different, but the overall purpose remains the same.
It’s that simple, and you say you wouldn’t fall for it. But look at how many people have. It works. And here’s the other thing: this requires NO real expertise on the part of the cybercriminal. These aren’t master coders breaking into CIA networks. This goes for many other cybercrimes, as well. While there is a perception that all cybercriminals are hackers with computer expertise, the reality is that all cybercrime takes is some gumption. Technical know-how is no longer a requirement to be a cybercrook. Many of the necessary tools can be bought, and you can be targeted by someone who may have no more computer knowledge than you.
In order to combat schemes like this, your organization needs to make sure that it has appropriate cybersecurity tools, policies, and practices in place. Your IT Department or IT Managed Service Provider requires robust tools for procedures like, for example, monitoring and backup. These can prevent many attacks, or at least mitigate damage done by these breaches. You also need clear organizational policies, and your employees must be trained to identify potential cyber attacks. Cybersecurity is no longer a problem for IT to handle – it’s an “all hands on deck” situation for every employee.
The simplicity of the gift card scam means that it can be prevented. But this requires leaders to see that cybercrime is a real threat to their own organizations and not merely something happening to someone else.