Social engineering-based attacks use a combination of timing and context to trick victims, according to a Thursday report from Barracuda Networks. These attacks typically begin with an attacker impersonating someone in a position of power asking employees of lesser status to transfer money,, disguising their attack in a well-timed email with relevant information, Barracuda found.

The holidays provide the perfect context for cyberattackers, opening up a whole new world of threat vectors. One major strategy cybercriminals are using is gift card spear phishing, an attack that tricks office managers, receptionists, and executive assistants into sending gift cards to the actual attacker, claiming the offer is for employee rewards or a holiday gift, according to the report.

SEE:IT email templates: Security alerts (Tech Pro Research)

Since the beginning of October, social engineering attacks via gift cards have risen significantly, the report found. Cybercriminals know that many companies ask office managers or executive assistants to buy gift cards for employees to get ready for the holiday season. Attackers will target those employees, impersonating a CXO or authoritative position, according to the report. Because the message came from a higher up, these employees will usually respond and quickly complete the task.

Barracuda found the following key strategies attackers are using in the email requests:

  1. Request for secrecy
  2. Research of relevant details
  3. Implied urgency

Cybercriminals may ask the recipient to keep the gift card transaction a secret, claiming they want to keep it a holiday surprise, the report found. The attackers may also try to find relevant, specific information about the company to include, to add credibility. Additionally, attackers often use some sort of urgent rhetoric (“Do get back to me,” “How soon can you get this done?”) to add a little pressure on the recipient to get the job done.

The attacks tend to work because they appear to be sent from credible email addresses, don’t hold any form of malicious payload like links or attachments, and use relevant information to make the victim feel comfortable, the report noted.

SEE: Man-in-the-middle attacks: A cheat sheet (TechRepublic)

Companies can implement email security solutions to prevent these attacks, and take other precautions like security awareness training and phishing simulations to help educate employees, the report noted.

The big takeaways for tech leaders:

  • Cybercriminals are using social engineering-based phishing attacks through gift cards to trick employees during the holiday season. — Barracuda, 2018
  • The attackers pose as authoritative figures in a company and email office managers convincing them to purchase gift cards for employees as a Christmas gift. — Barracuda, 2018