FBI Tech Tuesday: Business Email Compromise (BEC)-Gift Card Fraud
PHOENIX, AZ—‘Tis the season for presents, incentives, and end-of-year bonuses. Scammers know businesses are more likely to reward employees or thank customers during this time of year, which can make companies more vulnerable to Business Email Compromise (BEC) scams. This year, the FBI is seeing more reports of BEC scams involving gift card fraud, including here in Arizona.
Over the past year and a half—and especially in the last few months—the FBI’s Internet Crime Complaint Center, IC3.gov, has seen a significant increase in the number of businesses that are getting hit with this kind of fraud. From January 2017 to this fall, estimated losses topped $1 million. In Arizona, BEC gift card scams jumped from just a couple of complaints in 2017 ($845 in estimated losses) to more than 50 complaints so far this fiscal year, with losses of close to $90,000.
The scam typically starts with a spoofed email or text from a person of authority, such as a CEO or HR director, telling an employee to purchase gift cards for the executive to give away or to use to purchase items, say, for a Christmas party. The employee is told to send the gift card information, including the number and PIN, back to the “boss”—really the fraudster—who then can cash out the value before you know there is a problem.
There are ways to prevent these types of scams:
- Look at the email header of the sender. Keep an eye out for email addresses that look similar to, but not the same as the ones used by your work supervisors or peers (abc_company.com vs. abc-company.com).
- Be wary of requests to buy multiple gift cards, even if the request seems ordinary.
- Watch out for grammatical errors or odd phrasing.
- Notice language that tries to pressure you to purchase the cards quickly.
- Finally, be wary if the sender asks you to send the gift card number and PIN back to him.
- Don’t rely on email alone. Talk to your CEO directly.
Requests for gift card purchases or wire transfers should be highly scrutinized. Make sure your business uses two-factor authentication protocols or at least follow up a phone call to confirm any transfer of funds.
IC3 says that while this kind of fraud can happen to any company, there are a variety of sectors most at risk. They include the real estate, legal, medical, and distribution and supply parts of our economy as well as religious organizations.
In 2017, the IC3 received 15,690 BEC/EAC complaints with estimated losses of more than $675 million nationwide, making it the #1 scam when it comes to victim losses.
If you have been victimized by this or any cyber fraud, be sure to report it to the FBI’s Internet Crime Complaint Center at www.ic3.gov or call your local FBI office.