Business Email Compromise (BEC): How to Prevent ‘Gifting’ In

BEC: is when hackers gain access to a corporate email account and spoof the owner's identity to defraud the company or its' employees, customers or associate's money.
Gigabit Systems
February 5, 2019
20 min read
Share this post

No matter the season or the occasion, consumers frequently turn to gift cards as one of the only gift giving options with versatility. In today’s digital age, you might not be surprised to hear that even gift cards pose a threat to your online safety. The Federal Bureau of Investigation (FBI) issued a warning in December of 2018 surrounding Business Email Compromise (BEC) scams that specifically involve gift card fraud.  Although these tactics do not have a high success rate, hackers can still yield a handsome profit. Here’s what you should know about this up-and-coming cyber-attack method.

What is Gift Card Fraud?

Business Email Compromise scams, also referred to as “CEO Fraud” or “Whaling” pose a significant financial cyber threat to businesses across the United States. The FBI’s Internet Crime Complaint Center,, reported that gift card fraud led to estimated losses of over $1 million. These damages are felt on a local level as well. In Arizona, BEC gift card scams went from amounting $845 in losses during 2017, to $90,000 in 2018.

The FBI explained in their December 2018 press release that BEC gift card fraud takes advantage of employees using concise, assertive language. Prior to the attack, an assailant organization will look to gain access to the intended victim organization’s emails. This helps the hackers craft as convincing of a message as possible. Here, timing is everything - BEC is far more successful around the holidays, or among employees who work closely with clients, third-party vendors, and etcetera.

Messages looking to accomplish gift card fraud appear to come from a CEO or another powerful executive, and typically encourage their employees to buy gift cards for a holiday party, personal use, and etcetera. The email usually asks the employee to send the gift card information, i.e. the number and PIN, back to the executive who allegedly sent the email. The hacker who is behind the email will then cash out the value.

The Scarlet Widow Case Study: Why Your Business Should Take Gift Card Fraud Seriously

There have been several international examples that shed a light on the potential consequences of a successful BEC maneuver. One includes a Nigerian organization known as the Scarlet Widow, which targets thousands of nonprofits, education-related institutions, and their associated individuals using gift card fraud. They typically request Apple iTunes or Google Play gift cards using a narrative that makes the suggestion fit. For example, Scarlet Widow was able to convince an Australian university administrator into both purchasing and distributing $1,800 of iTunes gift cards. The administrator later admitted that they believed the request came from the head of the university’s financial department. Scarlet Widow completed their mission by selling the cards via bitcoin and converting that to cash, all in a little over two hours.

What this case study shows us is just how quickly this type of social engineering can flourish. A single employee’s mistake led to thousands of dollars lost in a matter of hours. Given the ability of organizations like the Scarlet Widow to identify and mask themselves within their intended victims organization, all businesses should take this incident into serious consideration when developing their cyber-security strategy.

How to Prevent Gift Card Fraud

If you suspect that an email might not have come from its alleged sender, first look at the email header of the sender. Hackers sometimes will send an email from an address that looks similar, but slightly varies, from a legitimate executive. If you are still unsure about the email’s validity, do not be intimidated to ask from help. Reaching out to your CEO or executive directly is the easiest and quickest way to conclude fraud.

Are you looking for an IT company that specializes in Cyber Security while staying within budget? Contact Gigabit Systems.

The email’s contents can, too, point you in the right direction. The FBI warns that requests to buy multiple gift cards, even if the request itself doesn’t seem too outrageous, should concern you. Employees should also watch out for overly assertive language, i.e. a tone that pressures you to purchase the cards and/or send the gift card number and PIN as quickly as possible. Lastly, any sort of odd phrasing, grammar errors, and any instinctive variation from the sender’s usual emails should warrant some hesitation. As is the case with all types of widespread social engineering attacks, business leadership and information technology experts must educate on an organizational level as a means of dwindling any possible financial or reputational damage.


Business Email Compromise, specifically in the context of gift card fraud, poses a severe threat to businesses of any size. Since hackers are able to identify as apart of their intended victims' organization, these assailants have a great opportunity at success. Encouraging your employees to say something when they see something, study previous examples, and carefully read through their messages must become commonplace in order for these damages to dwindle.

Learn more about the latest in cyber security by subscribing to our blog;

Share this post
See some more of our most recent posts...