Understanding how business email compromises work to push fraudulent gift cards can vaccinate us from increasingly-sophisticated variants that will inevitably surface.

Gift cards are a favorite way for scammers to squeeze money out of their victims. Unlike the more secure and trackable wire or bank transfers, the only information needed to redeem the value of a gift card is the alphanumeric code on the back, which can be sent via email or read out over the telephone.

Once scammers have the code, they can then sell it at a discount, convert it into their local currency without any sort of paper trail, and launder and/or dispense the funds quickly.

Some scams are fairly elaborate and require a high degree of involvement from scammers:

  • Tax authority scams: telling targets that they owe money to the tax authorities (or some equivalent agency) and must immediately pay off the debt or go to jail. This often involves scammers staying on the phone with their targets for an hour or more, walking them through the process of buying a gift card and transferring the code to them.
  • Tech support scams require scammers to be able to convince targets to install remote administration software on their computer, and then convince them to buy a gift card.
  • And then there are the scammers that take the easy approach: they just ask. Typically, this ask happens via a business email compromise (BEC), where the scammer will pose as an official in the target’s company, and claim to have an urgent need for gift cards. On a victim-by-victim basis this is probably less lucrative than tax scams or ransoming a target’s computer back to them, but it can be faster and simpler: scammers can send as many emails as they like, and they only need to get lucky once to net a nice payday.

Anatomy of a BEC gift card scam

Cybersecurity firm Sophos has shared information about how such gift card scams work. While the exact details vary for each scam, the steps often follow this general pattern:

  1. The approach: Scammers will email a number of targets, usually with a very short message like, “Are you there?” or “Are you available right now?” Occasionally, they will step up the urgency with a subject line like: “Please respond!!!” This is because the scam relies on getting money out of targets before they have had a chance to think about it and realize they are being scammed. Scammers are looking for and depending upon people that will quickly or reflexively respond to a person of authority demanding an action.
  2. The ask: Once targets are ‘qualified’ by demonstrating a quick positive response to the bait, scammers will then demand the gift cards. They will make up a reason that a) they need gift cards and b) they cannot do it themselves (in a meeting, stuck in traffic, etc.). If they have not cranked up the urgency yet, this is where it happens: “I need this ASAP” or “This is super important, please let me know how fast you can get to this.” 
  3. The attack: Once targets have agreed to get the gift cards, scammers send over details, including the specific type of cards to buy, denominations, and instructions to pay out of pocket and then expense it or to pay in the most expedient way possible. Scammers usually re-emphasize urgency here.
  4. The loot: Once targets have the gift cards in hand, scammers will ramp up the urgency one last time, telling them that the matter has become even more urgent, and they should just send the codes off the back. Once targets do this, the scam is over, and likely the last time scammers contact them.

Stopping BEC scams with AI

Detecting BEC emails takes a combination of state-of-the-art Natural Language Processing (NLP) models and hand-designed features.

Using the same NLP architecture that powers Google’s search tools, software can learn to understand words in context rather than individually, and extract much more nuances from a chunk of text to detect notions such as “urgency” and “asking for something.”

Other factors in the AI algorithm take into account factors such as: whether or not the sender and receiver share the same domain; the size of the recipient list; the number of people in the CC field; and a “high-urgency” subject line with a body requesting immediate response.

While inferring things like urgency and tone directly from the word analysis is difficult, a technique called LIME can be used to make a decision on whether the content is suspicious. In the above example, the word “cards,” particularly in conjunction with “need”, set off alarm bells for the machine learning model.

What is interesting is that in a completely different context (for instance, “please sign the birthday cards in the break room”) the word “card” has almost no loading for malicious or benign either way. This is the power of self-attention: the AI model can evaluate the word “card” in the context of the full email and email-specific features to identify phishing elements. 

Ultimately, if all the classic elements of the ‘ask’ phase of a BEC attack are in place: a request for gift cards, an excuse for why they cannot talk on the phone, and an emphasis on speed and urgency, the system will step in to interrupt the thread.