New gift card phishing attacks

Gift card phishing attacks use an old trick that fell by the wayside with the rise of cryptocurrency phishing attacks. It's a trick, never a treat.

Post hero image

Table of contents

Gift card phishing attacks are a trick, not a treat, no matter what the email says!

We are monitoring an ongoing gift card phishing campaign in which attackers posing as UPS officials demand tax duties for international packages are paid with gift cards. As much as we all love receiving a mysterious package from far away, any email message requiring payment in gift cards is a fraud.

Gift card phishing is an old trick that fell by the wayside with the rise of cryptocurrency phishing attacks. But as the reputation of crypto degrades and becomes more associated with criminal activity, some malicious actors have moved back to exploiting gift cards as a payment method in phishing attacks.

Gift cards are like prepaid tokens meant to be exchanged for something from an issuing vendor. But they can be used in a way that lets them function a lot like cash, too. Cyber criminals like gift cards because they share the same characteristics with cryptocurrency payments that have made them the phishing attack currency-of-choice.

Gift cards are untraceable; cashing them in does not require inputting any personal details. Transactions are as fast as cash, but work on online platforms. Once the card is used, the money is gone and no financial trail is left behind. It’s basically a dream currency for cybercriminals.

These coupons can be purchased online or at local physical stores. Nowadays they are accepted worldwide almost anywhere as a payment method. Their most attractive feature to cybercriminals is that they are really easy to redeem, no matter who or where you are.

Gift cards contain a unique 16-digit code. Anyone capable of reading the numbers can withdraw the money anonymously. They are accepted as payment methods at numerous types of sites, including online gaming, betting, video games, online services, and so on.

Red flag threat indicator

Gift cards are an immediate malicious email red flag. If someone demands payment via gift cards, the email should immediately be seen as shady, and you should rightly suspect that it’s a fraud.

Bad actors try to trick people into buying them gift cards in various ways. Sometimes their attacks involve asking for favors in which investing in gift cards would pay off someone or accomplish something important. This technique is not only popular in phishing it’s also used in vishing (where attackers scam victims over the phone).

Cybercriminals still use this old-fashioned technique because it lets them remain anonymous after purchases, but also simply because it still works! It’s worth mentioning that Paysafe, while widely reported as being involved in phishing scams, is not the only platform used for these attacks. We have seen many others like Steam, Amazon, GooglePlay, and iTunes used. But Paysafe is arguably the most popular.

How gift card phishing works

Attackers like to create a false sense of authority and urgency in their attacks; they will frequently impersonate high-level executives and order an underling to buy something for an urgent project (this type of attack is also called CEO attack, or Business Email Compromise). Many other background stories have made the rounds over the years, including:

  • Tech support gift card phishing scam: An attacker posing as tech support from a major company like Apple or Microsoft says your computer is broken and a gift card must be purchased to fix it
  • Government gift card phishing scam: Someone from the IRS demands payment via gift cards for back taxes
  • Romance gift card phishing scam: That nice person you met on a dating website has fallen on hard times and gift cards are the only way you can be together
  • Utility company gift card phishing scam: Buy me gift cards or lose your lights!

Scams, scams, and more scams. There are infinite possibilities for why an attacker “needs” gift cards, but the truth is that it’s just a handy way to steal from honest people.

While it is almost impossible to recover funds once the gift card code has been shared, you CAN recoup funds if you sense the attack early enough and do not reveal the code. Refunds usually involve a fee.

UPS gift card phishing attack (Finnish localization)

Finish UPS gift card phishing attack

This example happens to have been localized to Finnish, but it’s developed from a global template for one of the most popular gift card phishing attacks we’re seeing in the wild. The attacker poses as a UPS official and hooks the victim with a scam about a package that can’t be delivered until an international duty tax has been paid. And oh, by the way, that duty must be paid with a Paysafecard.

The scam involves two quick and easy steps:

  1. Buy a Paysafe card online loaded with 75 € value to pay the duty on a mysterious package sent from outside Europe.
  2. Send the Paysafe card PIN code to a specific email address so package delivery can be completed.

After reading this article you, now know that any email requiring gift card payment is a scam. But, aimed at the right unsuspecting victim, it’s an easy way to turn a tidy profit.

Why are gift card phishing attacks effective?

These attacks are simple and fast. When people receive such emails, especially from an imposter authority figure in their work email account, they might find themselves trying to quickly take care of the “problem” and fail to notice the potential threat indicators. Other times, there might be a sense of pressure to go above and beyond for one’s boss or clients.

But often, it’s simple lack of awareness of the risks and dangers.

Know the red flags and stay off the hook!

  • Remember, no real business or government agency will ever insist you pay them with a gift card
  • Do not respond directly to any random emails seeking “favors” or “help” in the form of gift cards
  • Do not use any links or phone numbers listed in the suspicious email itself; first contact the person or their organization they say they represent through another channel or official platform.
  • Any offer that looks too good to be true probably is
  • Any request to send money to a third party is dubious

Hoxhunt response

Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Explore more phishing trends

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this