Blake Dowling
I was buying gift cards at Walgreens during the Christmas holidays. As the cashier rang them up, the screen flashed: FRAUD ALERT.
This alert was followed by a message: “Scammers, criminals, and hackers sometimes ask victims to purchase gift cards under false pretenses. Please ensure you are not a victim; click yes if you understand.”
This level of information sharing has long been needed. Years ago, hackers weaponized our essential communication tools (email, text, phone), and we as a society have been extremely slow to respond.
The gift card scheme is one of the most obvious hacks, but people still fall for it, so I will discuss it.
Hopefully, this review will prevent someone from being the next victim.
The scheme goes like this. You get an email one day, and it appears to be from your boss. Hackers have looked at your office’s website and social pages to figure out your org chart, and this process is called social engineering.
The email says, “The boss is getting gifts for the staff.” Don’t say anything; just run out, buy some gift cards, and email that person pretending to be your boss when you do. Next, they ask you to scratch off the codes on the back and send pictures of them, and then you are robbed.
This is at the low end of the spectrum as far as hacks go; usually, only a few hundred dollars in gift cards are requested. Towards the middle of the financial hacking spectrum, emails asking for wire transfers could be in the hundreds of thousands, and on the farthest, most extreme ends, ransomware payments could be in the millions. Plus, there are romance scams, pig butchering, and fake vendor hacks (see UCF below) to be on the lookout for, and they could be anywhere on that spectrum regarding damages and total loss of funds.
While anyone can be a victim of these crimes, most can be prevented with good old common sense.
Often, they begin with poorly written emails sent at 4 a.m., don’t make sense, are from a random Gmail account, or have some other obvious red flags. However, everything you have heard about artificial intelligence is now being roided and fueled into these kinds of attacks, making them more challenging to spot.
Throw in some deepfakes, and the chances of you receiving an email to buy gift cards may look real. Artificial intelligence and hackers have analyzed you thoroughly, looking for your job history, college, hometown, contacts, and everything else online to help them craft a believable email that will make you give up money or credentials.
If you have a business, run a campaign, or use a computer, it is time to do your homework. These are not just hackers in the basement going after you; this is, in some cases, nation-states coming after our entire country. This week, We saw that alleged Chinese government hackers hacked the U.S. Treasury Office.
How about that for a big happy new year for us all?
Here in Florida, last month, the University of Central Florida got hit by a financial hacking scheme. It appears to have been a fake vendor invoice sent, which they paid,
Also, on the Florida Man (ridiculous) side of hacking, we saw coaches in high school football allegedly hacking into their opponent’s practice videos. There is an app called Hudl, which the opposing team somehow got into, possibly stealing login credentials.
Really, Coach? I think that blows the whole sportsmanship thing right out of the water.
Hacking is everywhere, from the Chinese attacking the U.S. Government to the football fields of Bradenton, Florida, and at your local drugstore.
Therefore, your action items are as follows: Don’t fall for gift card schemes, call all parties (at a phone number not in the email) to verify email requests for wire transfers, and roll out all available advanced threat protection tools. If you think two-factor authentication and long passwords are a pain, guess what? They will be a pain to hackers, too.
It may just save your organization hundreds or even millions of dollars. For our final takeaway, it is time to consider whether passkeys are correct for your organization’s cyber defense posture. A passkey is a digital credential that allows users to sign into an app without a password.
There are a lot of protections out there, so until there is a Walgreens FRAUD ALERT screen on everything in life, get to work on fighting back in the war on hacking.
Happy New Year.
