Last Time in the BEC Taxonomy Series…
Proofpoint researchers in the fifth of the Business Email Compromise (BEC) taxonomy series explored the lures and tasks theme from the Email Fraud Taxonomy framework (Figure 1). Lure and task email fraud with their quick request nature can serve as a gateway to other themes in the taxonomy, including the one we will be exploring here. That theme is gift carding. Vying for a top spot among lures and tasks, invoice fraud, and payroll redirects, gift carding is one of the most prolific email fraud themes seen by Proofpoint researchers.
Figure 1. Email Fraud Taxonomy Framework.
What is Gift Carding?
Gift Carding is a financial extraction technique in which threat actors request payouts in the form of one or multiple high value gift cards. It is an attempt to trick the email recipient into purchasing gift cards and sending the gift card number and PIN to the threat actor. As it is commonplace for companies to reward employees with gift cards, the threat actor can exploit the lower level of scrutiny for such a common task. The request may come with an urgent reason for why they are asking for the favor to compel the recipient to act without verifying.
Gift Carding and the Email Fraud Taxonomy Framework
Gift carding email fraud leverages impersonation from the Deception layer of the Email Fraud Taxonomy. Threat actors will commonly spoof a person in leadership or a position of authority within a company to make the request appear more legitimate. Like with other email fraud, masquerading as someone recognizable to the intended victim, including close friends and family members, increases the likelihood of the recipient feeling compelled to follow through on the request. Most gift carding email fraud uses display name spoofing, as illustrated in Figure 2, to deceive recipients. To a lesser extent threat actors will use the other impersonation tactics, such as spoofing the domain or using reply-to manipulation.
Figure 2.
Real World Examples
Gift carding emails leverage a variety of lures to convince the recipient that what they have received is a legitimate request. As seen in the following examples, threat actors will use anything from current events such as the pandemic to national holidays to lures intended to elicit sympathy in order to maximize their chances of success.
Figures 3 and 4 are good examples of threat actors attempting to capitalize on expected feelings of sympathy. In figure 3, the threat actor claimed the request was for a hospice situation and in figure 4 the threat actor claimed they were out of town and in isolation—likely a nod to the pandemic—and therefore unable to get a gift for their niece’s upcoming birthday.
Figure 3.
Figure 4.
Figure 4 also serves as a reminder that in some cases of gift carding fraud a threat actor will begin with what is called a quick task email to test the receptivity of the potential victim. The threat actor in this situation first sought to see if the intended victim was available. They then waited to request assistance with getting a gift card until after receiving a response.
In the last example (figure 5), the threat actor claimed to want to get gift cards to distribute to employees as a thank you for their work, a common practice among companies, and tied the timing of the request to the Fourth of July celebration in the United States.
Figure 5.
Conclusion
Gift carding is a fairly common form of email fraud that can cost on average $840 per incident and has swindled people out of almost $245 million since 2018. On average Proofpoint stops between seven and ten thousand of these emails daily. Relying on familiarity, positions of authority, and a sense of urgency, gift carding can very easily be mistaken as a legitimate request. In identifying and categorizing emails with this theme, the potential risk of such emails can be mitigated.
Stay Tuned…
In our final BEC taxonomy blog post we will tackle the last category in the Theme tier, Advance Fee Fraud.