A while back, a young salesperson at our company appeared to receive an email from an officer of the company that read:
I need a huge favor and I normally wouldn’t ask you to do this but it’s time sensitive.
Would you kindly go to BestBuy and purchase a dozen 100 dollar gift cards please? I will reimburse you when I get back in the office. I need these for an upcoming conference.
So, what happened next?
Thinking this message was a legitimate request, the salesperson proceeded to go to Best Buy, pick up the gift cards, and walk to the register with them. The hero in this story was actually the clerk who checked her out at the register and hesitated to ring them up. Seeing a red flag with the unusual purchase, the clerk asked her, “Why so many gift cards?”
When the young salesperson explained what she was doing, the clerk asked her to call Paul to make sure that’s what he meant to do. Of course, Paul was taken aback when the salesperson called him. He told her the email was not from him and not to purchase the cards. Yay, store clerk!
The scammers tried to persuade the salesperson to purchase the cards, come back to the office, and scratch off the silver coating which reveals the gift card’s numbers. Once the scammer has those numbers, they can go online and purchase whatever they want.
And yes, this scam works. As long as the scammer accurately imitates a specific authority figure or tricks the victim into thinking that gift cards are a legitimate way to transact money, the victim will often make the effort to go to a store, purchase the cards, and hand over the numbers.
I’ve worked with Paul for many years. If I had received that email, I would have noticed three huge red flags:
- No self-respecting officer of the company would ever ask a young employee to spend $100 out of pocket, let alone $1,200.
- Paul would never use the word “kindly.” (He really is a kind person, but he would not use “kindly” in that way.)
- He would never say “thank you,” as he has a different way of expressing gratitude in his emails.
More broadly, red flags for such scams include:
- Anomalies: Is the request unusual and unprecedented?
- Tone: Does the tone of the email seem consistent with previous emails?
- Timing: Does the request come at an odd time?
- Urgency: Does the request seem unusually urgent?
Preventing Employees from Becoming Victims
So how did our salesperson become a target? It could be one of many reasons. Her email could have been copied off our website, scanned at a conference, or taken off her business card. Plus, it’s just so easy to obtain emails today.
In addition, Paul was a target too. With spear phishing, scammers capture and study the emails of executive leaders to learn their mannerisms and style. Then, at some point, they launch an attack in the form of an email that asks the potential victim to hand over money, sensitive data, or user credentials. Spear phishing attacks can be more difficult to detect by victims, as scammers get better every day at imitating authority figures.
How do we keep scams like this from being successful?
Training, training, training.
- Train your people to read emails all the way down. Don’t just glance quickly at them and follow instructions blindly.
- Train your people to look at where the email originated instead of just glancing at the person’s name. Names are easily spoofed, but the email address often clearly does not match the person’s name or company domain.
- Invest in training software that sends fake phishing emails to test employees. This software helps you discover which employees might be the ones most likely to respond to scams or open malicious emails. These training emails can look very authentic, so use them as a teaching tool to help employees become more aware of their habits.
Phishing scams through email are the gateway to your company’s most valuable assets. Cybersecurity training is your best way of lessening the chance of an employee—and your company—becoming a victim.