Cybersecurity Risk: Phishing Gift Cards

A cybersecurity risk you need to be aware of this holiday season: phishing. It threatens businesses by asking people to perform favors and invest heavily in gift cards. The ease with which these bad actors can win the trust of employees at companies of all sizes is alarming, and we want our clients to be aware of these possibilities.

When it comes to cybersecurity and protecting your business, safeguarding against phishing attempts and related email scams remains a high priority. According to the Verizon 2020 Data Breach Investigations Report, phishing remains one of the most common methods that nefarious actors use to gain access to secure systems, thus compromising your business information and your customer’s security. Phishing remains particularly threatening because even well-meaning employees, who would never leave the store unlocked, can find themselves tricked by one of these bad actors and compromise your entire organization.

As a business leader, you focus on hiring people who you know can do their jobs well and would not purposely harm the company. Realizing how easily they can be tricked by phishing schemes, and open you and your organization up to a breach, can be sobering and stressful. There are steps you can take, however, to protect yourself and your company. Let’s review what every Portland business and organization should know.

What Is a Phishing Scam?

In a phishing scam, bad actors try to trick people – often through email – into handing over confidential credentials or money. The messages they send have been specifically designed to sound as though they are coming from a trusted source. For example, people might receive phishing emails from someone claiming to be from their bank or a social media platform. At a company, the email might come from someone claiming to work in the accounting department or human resources. These scammers do not need advanced programming and hacking skills: An email that pretends to be from someone the victims already trust can get them the information they want.

Those attempting to run a phishing scam might employ clever strategies such as:

• raising alarm in the recipient by claiming to have not received payment, noticing suspicious activity on an account or even needing to update employee information and credentials
• asking people to confirm personal credentials for secure sites
• offering links for people to log in to secure sites or make a payment – often taking the person to a site that appears to be legitimate

When people receive these types of emails, especially to their work email account, they might find themselves trying to quickly take care of the “problem” and fail to notice potential indicators that a message might be a phishing email. This makes phishing a major cybersecurity concern.

There are also a variety of different common phishing emails that might compromise one’s security or rob them of potentially thousands of dollars. While it is impossible to know them all, we have seen scams asking employees:

• to provide help in the form of money for a loved one who is sick, hurt or in trouble
• to provide social security numbers to prove innocence in a crime
• to provide confidential information to avoid prosecution for unpaid taxes

A recent scam that has begun to take hold involves emailing people, asking for a “favor.” The criminals often use public information about companies, such as the names of employees and supervisors, to make the email appear to come from a person’s boss. The scammer then asks the victim to purchase hundreds or thousands of dollars in gift cards because the boss is “traveling” or otherwise unable to make the purchase personally. Once the trusting employee passes the information on the purchased cards back to the “boss,” the money disappears.

Cybersecurity Tip: What Should You Do When You Spot a Phishing Email?

Step 1. Do not respond directly to any random emails that ask for “favors” or “help” or any type of confidential information, even if the email claims to need only to verify the information. It is always best to err on the side of caution.

Step 2. Whenever someone suspects that a particular message or email could potentially be a phishing scam, contact the company personally to confirm. Do not use any links or phone numbers listed on the email itself. For example, if an employee appears to get an email from their IT department claiming that they need to verify their login credentials, call the information technology team directly to confirm that they need the information.

Step 3. Report the phishing scam to the company and any relevant authorities. If you receive a phishing email at work, let the IT department know that the scam is being sent to employee email addresses. They can ready their cybersecurity processes and notify others in the company that the scam is circulating. A phishing scam can easily be sent to multiple people at the company, at once, in the hopes that one person will fall for it: Drawing attention to this kind of attempt can help avoid disaster. Some scams should also be reported to legal authorities, such as attempts to impersonate the IRS. These kind of complaints should go to the Treasury Inspector General for Tax Administration.

How Do I Prepare My Team to Recognize a Phishing Email?

Download This Guide: Empower Employees With These Training Techniques

The best way to prepare employees to successfully navigate a phishing email is to provide them with cybersecurity training that teaches them how to recognize common signs of a scam and what should raise red flags in their minds. At Compass, we provide employee training and advanced security that help companies navigate this treacherous risk. According to Accenture, providing employees with cybersecurity training provides an important barrier for the organization. It is one of the traits that sets well-defended companies apart from those that experience more breaches.

As part of the training at Compass, we will launch a phishing test where we pose as a scammer and mimic many of their strategies. Employers can then see how their employees respond and give them practice for facing real threats.

With each passing year, cyber criminals continue to look for more ways to breach businesses and steal critical customer and business information. At the top of their list of strategies is phishing. This scam can take many forms, but all of them can have devastating consequences. Protecting yourself and your business, however, comes down to education and training. Learn more about how you can prepare your workers and keep your information secure.