Gift Card BEC Attack Impersonates COO to Encourage Employee Performance

In this attack, the attacker impersonated the targeted company’s COO to ask an employee to purchase gift cards as a reward for employees for their performance over the last quarter and to encourage continued hard work. In addition to setting the sender’s display name to spoof the impersonated COO, the email was also sent from a freely-available GMX account that was created with a username that matched the impersonated executive’s name.

A secure email gateway can't determine malicious intent because the attack is text-based, without any other indicators of compromise. This email was sent from a GMX account, a free webmail service available to anyone. As a result, there is no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC. 

Natural language processing enables cloud email security solutions to detect the presence of a gift card request. With Active Directory integration, the platform knows that the email is not associated with the spoofed executive. Integration with the Microsoft API allows an email security solution to use Active Directory to process the organizational chart and understand VIP emails to know when an executive is being impersonated via display name deception.

Because the username of the sending email address matches the expected username of the impersonated executive’s actual email address, employees may not recognize the difference and trust that the message was sent from an authentic source. Similarly, because the sender’s display name has been spoofed to impersonate the company’s COO, an employee receiving the email may instinctively comply with the email since it appears to come from a person of authority.