Cofense analysts tracked gift cards in 54 active BEC attacks to see how they were used. (Photo by Justin Sullivan/Getty Images)

The analysts at Cofense recently undertook a five-week experiment to see if they could gain insight into how scammers use gift cards in business email compromise attacks (BEC)

In a Nov. 2 post on its security blog, author Ronnie Tokazowski described how the email security firm purchased $500 worth of trackable gift cards to see what scammers did with them. The folks at Cofense used those gift cards to engage with 54 live BEC attacks over a five-week evaluation period to see what they could uncover.

As Tokazowski writes in the blog post, gift card scams play out like other types of business email compromise scams where a company executive is impersonated to convince an employee to make wire transfers or some other financial fraud. Attackers have since adjusted the scam to include payroll diversion, invoice fraud, check fraud and — the topic of Cofense’s research — gift cards.

“Once the unsuspecting victim has taken the bait and responded to the scammer, they will be asked to go to a local store to purchase gift cards, often in $100 or $500 dollar denominations,” Tokazowski wrote.

An FBI alert in May highlighted that identified global losses in BEC scams increased by 65% between July 2019 and December 2021 to $43 billion.

Tokazowski noted that the analysts were surprised by the swiftness in which scammers moved funds, adding that in all but one case, each card was stolen, re-sold and used for purchase within 24 hours.

The analysts also found that scammers pushed for brand-specific cards such as Apple, Steam or Google Play, and were hesitant to accept Cofense’s trackable cards, but many eventually accepted them.

In one entry of note, a scammer impersonated Cofense’s CEO to try to steal funds from a senior researcher who has spent seven years raising BEC awareness. Recognizing the scam, the researcher was able to turn the tables and interview the perpetrator, who said he was in Nigeria. 

“We do acknowledge that it’s entirely possible that the attacker was still lying to us, however they did confirm that yes, they were in Nigeria. The scammer went into further detail about how he became a scammer, with one of the primary reasons being limited opportunities in Nigeria.”

After the interview, the researchers gave the gift card to the Nigerian, who said he would sell it locally and it was used to purchase five instances of TikTok Live via the Google Play store.

The blog post details other engagements that ranged from Amazon purchases to counterfeit toys sold in Myanmar to purchases for energy companies. “While we did find some very interesting things about what happens to gift cards once they’re stolen in BEC attacks, we ended up with many more questions than answers.”

Video link