Milwaukee airport’s security manager has been fired after falling for a scam, buying gift cards and sending them to someone in Saudi Arabia posing as her boss.
- She was emailed by someone posing as the airport’s director. (She didn’t check the return address, which wasn’t his.)
- The scasmmer said he was planning “a surprise gift package for some of our staff” and asked her to pick up gift cards for the surprise, and that she’d be reimbursed – but not to tell anyone since it’s a surprise!
“Mum’s the word!” the email read. “I will need you to purchase the cards and you will be reimbursed. How soon can you get this done? Let me know so I can tell you how many cards are needed and also the value on each card.”
Initially she bought (3) $500 Google Play cards, (2) $200 iTunes cards, and (2) $100 eBay cards. She followed instructions, “scratch[ing] off all of the card PIN numbers and reply with photos showing the PIN numbers.”
Then the scammer got into high gear. He said two cards weren’t properly activated, and needed her to buy more – $3000 more. Eventually she asked her boss about the gift cards, and he told her he hadn’t emailed her and didn’t ask her to buy gift cards.
She’s the security director and she’s not careful dealing with online scammers. That’s not a good look, and she was let go for “substandard or careless job performance.” However what she ran into is very common and part of a multi-billion dollar scam that I’ve run into many times over the past three years.
I’ve written about how people commit credit card fraud but there’s another fraud I’m well acquainted with.
- Scammer looks up company website. Identifies name of the President or similar head of the organization, whom they impersonate.
- They email the CFO or Director of Finance. They’re out of the office, have an emergency payment to make by wire, and they need it expedited. They’ll often keep the amount under $50,000 thinking that it may require fewer approvals.
- In a particularly sophisticated version of the scam the email comes from one executive, is sent to a finance employee, and cc’s their boss. Someone impersonating their boss then replies with approval.
Of course in order to get the replies to these emails, the scammer isn’t using a real company email account. The ‘reply to’ address is a throwaway account (sometimes from a domain that looks similar to that of the company they’re trying to scam). Always check the email address of the person giving you instructions electronically.
Ultimately people want to be helpful and this is just a variation on an age old social engineering trick. Only in the digital age it’s leveraged so that scammers run off with 10 figures a year.