They may not work often, but they don’t have to work often if we can target “everyone”. As long as they work occasionally, and based on my anecdotal evidence from people I talk to in the industry, they do work often enough.
“”One of the notable aspects of gift card BEC attacks is that they make all employees a target. Instead of solely focusing on finance or HR employees like other forms of BEC attacks, scammers impersonate a wide variety of identities on the corporate ladder to widen the scope of their attacks,” Crane Hassold, senior director of threat intelligence at Agari Cyber Intelligence Division, told ZDNet.”
Unlike wire or cash/check requests, where the target needs to be someone in an organization who can actually access those financial tools, and who probably has been trained to look for fraud, the request to buy gift cards for any number of office needs, be it a gift, prize drawings, etc. can go to anyone in the company. As long as it appears to come from a supervisor, or manager, and even one person believes it’s a legitimate request, it’s probably worth doing for the scammer.
The key is, to always verify any request, especially if the requester claims to be unable to call, or needs the redemption codes instead of the card itself. That’s not normal.
Image by 401(K) 2013