Gift card spear-phishing scams targeting receptionists, assistants
- Gift card spear phishing is an emerging cybersecurity workplace risk that often tricks receptionists, office managers and executive assistants into sending gift cards to attackers, according to researchers at Barracuda Networks. The scammers sometimes claim the cards are surprise rewards for employees and therefore a secret. The emails are often sent from trusted email domains, lack malicious links or files and aren't recognized as threats by traditional email providers. Attackers are taking advantage of the holidays, when gift cards are widely used, researchers said.
- Attackers pretend that they're CEOs or other senior managers and are aware that lower-level employees are most likely to handle gift card requests and less likely to deny requests from top executives. Other emails use such tactics as implied urgency or specific details to make the email seem more legitimate.
- Training employees to spot such attacks goes a long way in stopping them, the experts said. Barracuda Network researchers also recommended use of an artificial intelligence-based email security solution, which, for example, can recognize email addresses that the CEO wouldn't normally use.
In a modern business environment, HR and IT are working together to reach certain goals, especially security goals that require a well-trained employee base. HR can work with IT to help employees avoid falling for these scams and understand what technology is needed to ward off attacks. Together, the departments can make employees aware of the attack and steps to take should they receive such an email.
Many organizations, however, are unhappy with the state of their cybersecurity culture. A poll of 4,800 business and technology professionals found that only 5% of organizations think their cybersecurity cultures are as advanced as they should be, according to the Information Systems Audit and Control Association (ISACA). To solve this issue, ISACA suggests investing more in training and directly involving employees in the cybersecurity process.
A 2017 report from Cisco and the Trivalent Group emphasizes the importance of cutting down on the time between an attack and its detection in preventing extensive damage. Employers’ cybersecurity systems must be capable of detecting and responding quickly to an attack — and that increasingly includes training employees on the front lines.