• 3 min Read

How Simple Tricks Can Bypass Your Cybersecurity Tools and Technology

A while back, a young salesperson at our company appeared to receive an email from an officer of the company that read:


I need a huge favor and I normally wouldn’t ask you to do this but it’s time sensitive.
Would you kindly go to BestBuy and purchase a dozen 100 dollar gift cards please? I will reimburse you when I get back in the office. I need these for an upcoming conference.

Thank you,

So, what happened next?

Thinking this message was a legitimate request, the salesperson proceeded to go to Best Buy, pick up the gift cards, and walk to the register with them. The hero in this story was actually the clerk who checked her out at the register and hesitated to ring them up. Seeing a red flag with the unusual purchase, the clerk asked her, “Why so many gift cards?”

When the young salesperson explained what she was doing, the clerk asked her to call Paul to make sure that’s what he meant to do. Of course, Paul was taken aback when the salesperson called him. He told her the email was not from him and not to purchase the cards. Yay, store clerk!

The Scam

The scammers tried to persuade the salesperson to purchase the cards, come back to the office, and scratch off the silver coating which reveals the gift card’s numbers. Once the scammer has those numbers, they can go online and purchase whatever they want.

And yes, this scam works. As long as the scammer accurately imitates a specific authority figure or tricks the victim into thinking that gift cards are a legitimate way to transact money, the victim will often make the effort to go to a store, purchase the cards, and hand over the numbers.

I’ve worked with Paul for many years. If I had received that email, I would have noticed three huge red flags:

  1. No self-respecting officer of the company would ever ask a young employee to spend $100 out of pocket, let alone $1,200.
  2. Paul would never use the word “kindly.” (He really is a kind person, but he would not use “kindly” in that way.)
  3. He would never say “thank you,” as he has a different way of expressing gratitude in his emails.

More broadly, red flags for such scams include:

  • Anomalies: Is the request unusual and unprecedented?
  • Tone: Does the tone of the email seem consistent with previous emails?
  • Timing: Does the request come at an odd time?
  • Urgency: Does the request seem unusually urgent?

Preventing Employees from Becoming Victims

So how did our salesperson become a target? It could be one of many reasons. Her email could have been copied off our website, scanned at a conference, or taken off her business card. Plus, it’s just so easy to obtain emails today.

In addition, Paul was a target too. With spear phishing, scammers capture and study the emails of executive leaders to learn their mannerisms and style. Then, at some point, they launch an attack in the form of an email that asks the potential victim to hand over money, sensitive data, or user credentials. Spear phishing attacks can be more difficult to detect by victims, as scammers get better every day at imitating authority figures.

How do we keep scams like this from being successful?

Training, training, training.

  • Train your people to read emails all the way down. Don’t just glance quickly at them and follow instructions blindly.
  • Train your people to look at where the email originated instead of just glancing at the person’s name. Names are easily spoofed, but the email address often clearly does not match the person’s name or company domain.
  • Invest in training software that sends fake phishing emails to test employees. This software helps you discover which employees might be the ones most likely to respond to scams or open malicious emails. These training emails can look very authentic, so use them as a teaching tool to help employees become more aware of their habits.

Phishing scams through email are the gateway to your company’s most valuable assets. Cybersecurity training is your best way of lessening the chance of an employee—and your company—becoming a victim.

Related Resources

ThinkGard Named Datto’s 2018 Partner Of The Year

July 6, 2018 – ThinkGard today announced the company took home the Datto Partner of The Year award...

Read More
Why Do They Want My Username and Password?

So what’s the big deal. It’s just a username and password after all, and believe me there is...

Read More
Don’t Be THAT Company!

Like it or not, the most important asset in your business is your data. I know, you may be thinking...

Read More