Imagine you’re going about your day as usual, when suddenly you receive a text from the CEO. The head of the company is asking for your help; they’re out doing customer visits, and someone else dropped the ball in providing gift cards. The CEO needs you to buy six $200 gift cards, and text the information right away.
The sender promises to reimburse you before the end of the day. Oh, and by the way, you won’t be able to reach them by phone for the next two hours because they’ll “be in meetings”. One last thing! This is a high priority, and they need those gift cards immediately.
Would this kind of request make you stop and think? Or would you quickly pull out the credit card and help out your CEO in a pinch?
A surprising number of employees fall for this gift card scam. There are loads of variations, like the classic ‘boss stuck without gas’ message, or some other dire situation that only you can help with.
This scam can come by text message or via email. Either way, the end result is that the unsuspecting employee buys the gift cards, and sends the codes to the other party. Only later do they find out that the real company CEO wasn’t the one that contacted them. It was a phishing scammer.
The employee is out the cash.
Without proper training, 32.4% of employees are prone to fall for a phishing scam
Why Do Employees Fall for Phishing Scams?
Though the circumstances may be strange, many employees fall basic gift card scams. This sort of payout scheme is the same one that underpins all those “CRA Tax Fraud” scams that the elderly tend to fall for. Hackers use social engineering tactics in each, where they manipulate emotions to coax the target into following through on the request, no matter how absurd.
Social engineering tactics tend to lean on innate human actions and reactions, such as:
The scam’s message is crafted in a way to get the employee to act without thinking or checking. They instill a sense of urgency, “The CEO needs the gift card details right away.” The message conveniently sets up reasoning for why trying to confirm anything isn’t an option, like how the CEO will be out of touch for some understandable reason for the next few hours. This decreases the chance the employees will try to contact the real CEO to check the validity of the request.
Illinois Woman Scammed Out of More Than $6,000 from a Fake CEO Email
Variations of this scam are prevalent and can lead to significant financial losses. A company isn’t responsible if an employee falls for a scam and purchases gift cards with their own money.
In one example, a woman from Palos Hills, Illinois lost over $6,000. This was after getting an email request from who she thought was her company’s CEO.
The woman received an email purporting to be from her boss and company CEO. It stated that her boss wanted to send gift cards to some staff that had gone above and beyond lately.
The email signed off with “Can you help me purchase some gift cards today?” The boss had a reputation for being great to employees, so the email did not seem out of character.
The woman went ahead and bought the requested gift cards from Target and Best Buy. She then got another request asking to send pictures of the cards. Again, the wording in the message was very believable and non-threatening. It raised no alarm bells, and simply stated, “Can you take a picture, I’m putting this all on a spreadsheet.”
The woman ended up purchasing over $6,500 in gift cards, which the scammer promptly stole. When she saw her boss a little while later, her boss knew nothing about the gift card request. Only then did the woman realized she was the victim of a scam.
Tips for Avoiding Phishing Scams
Always Double Check Any Unusual Requests
Despite what a message might say, always check in-person or by phone anyhow. If you receive any unusual requests, especially related to money, verify it. Contact the person through other means to confirm it’s a legitimate request before proceeding.
Don’t React Emotionally
Scammers often play on a target’s emotions to incite victims to act before they have time to think. Just a few minutes of sitting back and looking at a message objectively is often all that’s needed to see it’s a scam. Don’t react emotionally, instead ask if this seems real or is at all out of the ordinary.
Get a Second Opinion
Ask a colleague, or better yet, your company’s IT service provider, to take look at the message. Getting a second opinion keeps you from reacting impulsively, and can save you from making a costly judgment error.
Need Help with Employee Phishing Awareness Training?
Phishing gets more sophisticated by the day. Make sure your employee awareness training is up to date. Give us a call today to schedule a training session to shore up your team’s defences.