Holding back the storm of seasonal scams 

Mike Britton at Abnormal Security  explores seasonal scams such as the CEO gift card fraud

 

The holiday season is now behind us, and while many people will be looking forward to the next date in the calendar, cyber-criminals are doing the same thing. Holiday periods provide a perfect combination of time-sensitive business activity, distracted staff, and the chance to slip deceptive emails through the net.  

 

One tried and true scam that we’ve seen over the course of the last several years is CEO gift card fraud. By exploiting the season’s goodwill and busy schedules, this scam preys on employees’ trust and creates costly consequences for organisations. 

 

At its core, this fraud is simple. An attacker impersonates a senior executive, typically the CEO, and sends an employee a seemingly straightforward request to purchase gift cards. The justification is often framed as a gesture of appreciation for the team or an urgent gift for clients and the perceived authority of the sender leaves little room for employees to question its legitimacy. 

 

A sophisticated evolution 

Although these scams have been around for some time, their tactics have evolved. They are part of a broader trend of advancing social engineering attacks, where cyber-criminals are using increasingly sophisticated methods to mimic legitimate communications and bypass traditional email defences with ease. 

 

One common approach involves spoofing email addresses to make them appear nearly identical to genuine ones, such as using an exclamation mark instead of a capital ‘I’. In other cases, fraudsters hijack and send messages from real accounts to make their messages indistinguishable from authentic emails. 

 

Social media has also become a powerful tool in the hands of cyber-criminals. Platforms like LinkedIn allow attackers to map out relationships within organisations to gain insights into the dynamics between executives and employees. With this information, they can then craft highly personalised messages that seamlessly align with a company’s internal communication style. This tailored approach makes their requests appear routine, therefore increasing the likelihood of success. 

 

Adding to this complexity is the rise of generative AI. These tools enable attackers to create polished and professional messages that lack the errors or inconsistencies typically associated with phishing emails. Combined with tactics like substituting characters in email addresses to bypass detection systems, these innovations make scams harder than ever to detect. 

 

Why traditional defences fall short 

Traditional email security systems are not equipped to handle the subtleties of these advanced scams. Many rely on detecting obvious indicators like suspicious links or malware attachments, but CEO gift card scams are text-based and designed to appear innocuous. Without overt red flags, these messages easily evade standard defences. 

 

Compounding this issue is the increasing use of cyber-crime-as-a-service platforms. These services provide attackers with ready-made tools and templates lowering the barrier to entry for launching sophisticated campaigns. As a result, even less technically skilled individuals can execute highly effective scams.

 

 We recently saw the emergence of GhostGPT, an uncensored AI chatbot which enables quick and easy malware creation and BEC scams. With fast processing power and easy access through services such as Telegram, GhostGPT makes developing scams possible for even entry-level cyber-criminals.

 

The cost of complacency 

Falling victim to these scams is financially costly, but also causes less tangible harm. Internally, it can damage employee morale and erode trust in leadership as well as between employees. Further to this, the external reputation of an organisation can be significantly damaged; in an era where businesses are judged on their ability to safeguard sensitive information, failing to prevent such attacks sends a troubling message to clients and stakeholders alike. 

 

These attacks happen year-round, but the impact is particularly pronounced during a holiday season. With employees juggling end-of-year responsibilities and leadership teams often out of the office, the environment is ripe for exploitation. Cyber-criminals know this and tailor their timing accordingly. 

 

Building a resilient defence 

Addressing the threat of gift card scams requires a multifaceted approach that pairs the right technical solutions with a proactive and informed workforce. To start, organisations need to build a culture of verification. Employees should feel encouraged to double-check unusual requests, regardless of the sender’s apparent authority. Providing clear protocols for verifying communications can empower teams to act decisively without fear of repercussions. 

 

Education is another critical component. Regular training sessions should keep employees informed about evolving cyber-threats and the specific tactics used in scams like these. By understanding how attackers operate, staff can better recognise suspicious behaviour and respond appropriately. 

 

On the technical side, enterprises must be equipped with advanced detection tools that can identify the latest deceptive tactics. Modern solutions that use artificial intelligence can analyse behavioural patterns in emails, flagging anomalies that might otherwise go unnoticed. These tools can identify subtle signs of impersonation and prevent fraudulent messages from reaching employee inboxes. 

 

Organisations must also take steps to limit the information available to potential attackers. Reducing the visibility of executives’ contact details and other sensitive data can make it significantly harder for cyber-criminals to craft convincing scams. Conducting regular audits of public-facing information can help mitigate this risk. 

 

Preparing for the future 

As cyber-crime continues to evolve, so too must the strategies employed to combat it. The rise of generative AI and cyber-crime-as-a-service shows the need for constant vigilance and adaptation in email security strategies. For business leaders, this means recognising that the fight against cyber-threats is an ongoing effort—not a one-time investment. 

 

With the winter holiday season in the rearview mirror, it’s only a matter of time before the next one comes around – so the time to act is now. By combining advanced detection solutions with comprehensive employee education and a culture of caution, organisations can safeguard themselves against the rising tide of gift card scams.

 

The stakes are high, but with a proactive approach, businesses can protect their people and their reputations to ensure a stronger start to the new year. 

 

---

 

Mike Britton is CIO at Abnormal Security  

 

Main image courtesy of iStockPhoto.com and ourtneyk