This topic is less technical and more social engineering focused, but it is relevant to developers and general audiences alike.
- In the first scam, I got an email from someone I know. It asked me to urgently go and purchase a two gift cards in the amount of $1,000 so that she could pay for something related to a volunteer organization we are both involved with. Her email had been compromised but I didn't know that.
- The second scam is similar but applied at a company level. In this case, a social engineer emailed the accounting department from a hijacked company email address. They urged the accountant to buy several gift cards in the amount of $2,000 and send them the numbers so that they could reward a business partner. In this case, the "bad guy" went so far as to imitate the typical tone and word usage of his victim (a ... high stress sales executive).
- The third case involved an incoming call from "Georgia Power" saying that "your power is going to be turned off if you don't pay your balance." What was interesting about this case, and why I mention it, is that there were 3 layers of hierarchy where the call bounced to supervisor, then another supervisor and they actually turned down a credit card payment and told the victim where they could find a Kroger to get a gift card. Clearly there were significant resources behind this scam.
The takeaway is - any time you are asked to use a gift card, or, for that matter to do anything "urgently" - you should think twice or three times.
It also means that as we build systems, we should be cognizant of what is reasonable to ask for from a user and design systems and processes that are robust to social engineering without putting undo onus on the user.
You can also listen in our podcast.