Business Email Compromise: Gift Cards
The Internet Crime Complaint Center (IC3) received an increase in the number of Business Email Compromise (BEC) complaints requesting victims purchase gift cards. The victims received either a spoofed email, a spoofed phone call or a spoofed text from a person in authority requesting the victim purchase multiple gift cards for either personal or business reasons.
In a typical example, a victim receives a request from their management to purchase gift cards for a work related function or as a present for a special personal occasion. The gift cards are then used to facilitate the purchase of goods and services which may or may not be legitimate.
Some of these incidents are combined with additional requests for wire transfer payments as described in classic BEC scenarios.
IC3 complaint data has shown that a variety of sectors including technology, real estate, legal, medical, distribution and supply, and religious organizations have been targeted by this scam.
A total of 1,164 complaints were filed with IC3 between January 1st, 2017 and August 31st, 2018 with an adjusted loss of $1,021,919. Although the average reported loss per incident was less than $900, the number of complaints reporting fraudulent gift card requests increased over 1,240% between January 1st, 2017 and August 31st 2018, with over 90% of incidents reported between March and August 2018. This scenario did not register as a measurable trend in 2017.
SUGGESTIONS FOR PROTECTION
Be mindful of any email, phone call or text messages requesting multiple gift cards even if the request is ordinary.
Beware of sudden changes in business or personal practices and carefully scrutinize all requests for multiple gift card purchases even if requests are ordinary.
Since many of the fraudulent e-mails reported in this new trend are spoofed, confirm requests for the purchase of gift cards using two-factor authentication. If using phone verification, use previously known numbers, not the numbers provided in the e-mail request.
A complete list of self-protection strategies is available at www.ic3.gov IC3 BEC PSAs 1-071218-PSA, 1-050417-PSA and on the United States Department of Justice website www.justice.gov in the publication titled “Best Practices for Victim Response and Reporting of Cyber Incidents.”
WHAT TO DO IF YOU ARE A VICTIM
IC3 victims reported some success in recovering funds when directly contacting the business that issued the gift card. Success appears to be dependent in part on how quickly victims are able to recognize and report the fraud.