Hackers are Targeting e-Gift Cards - But It's What Else They Might Find in a Personal Inbox that Should Concern CISOs
Who doesn’t love an online gift card?
Sent to the recipient’s email inbox, e-gift cards are convenient, easy to redeem, and aren’t subject to this year’s supply chain and mail delivery slowdowns. Another benefit is that the amount gifted is safe from fraudsters. Or is it?
A recent post by Krebs on Security revealed that gift card gangs are extracting cash from 100,000 inboxes each day. According to a trusted resource in the security industry, with the help of bots, cybercriminals are using stolen consumer credentials found on the dark web to launch tens of millions of automated distributed attacks each day. Once the legitimacy of a target account is confirmed, hackers move quickly to scam victims of their online gift card balances as well as hotel and airline rewards data – basically anything of value in their inbox.
Why CISOs should be concerned
Corporate executives have personal email accounts that sometimes become intertwined with their business account or with business persons. We all know that personal email accounts are usually not secured with dual factor authentication making them a target for credential stuffing attacks. Furthermore, these email accounts lie beyond the realm of that which the company can or should directly protect.
But what’s genuinely revelatory about Krebs’ insight is the scale at which such intrusion attempts are happening and what the outcomes are. For example, since the beginning of the pandemic in March 2020, our reliance on all things digital and the risks that it introduces has resulted in an 820% jump in e-gift card bot attacks.
Preventing this form of fraud is rarely a top priority for a CISO – but it should be.
Business email compromise (BEC) is big business for cybercriminals, but breaching private emails is just as lucrative, especially the personal accounts of corporate executives. Today, seven in 10 executive passwords are available on the dark web. With these credentials, a bad actor can easily access and snoop around a CxO’s Gmail account for far more sensitive and valuable data than an e-gift card.
Consider this scenario: The CEO of a fictional law firm, James McKay, uses a corporate laptop, VPN, and multi-factor authentication to access corporate resources. But sometimes, when at home, on the road, or on vacation, James leaves his corporate device at the office and uses the family iPad, which has an 87% chance of having no security in place, to stay on top of his job.
To do so, he forwards a somewhat confidential client file or two to his Gmail account. He’s unaware that nine in 10 tablets are insecure, or that 69% of corporate executives have exposed passwords that are freely available on the deep dark web. He also didn’t notice the open YouTube tabs his little one was having a field day clicking through earlier.
His only intention was to not completely separate from work, and frankly he shouldn’t have to. Unfortunately in today’s cyber climate, the intended casualness of working on a personal device unintentionally exposes James and his law firm to various risks.
How can CISOs extend executive protection to inboxes beyond the corporate perimeter?
As the digital gift card scam proves, it’s not that hard to hack an email account and mine it for valuable information. The challenge for CISOs is that as protected and secure as the company’s digital assets and networks are, as soon as an executive heads home, switches over to working on a family device or personal email account, or takes advantage of the return of travel, the threat map expands exponentially. As a result, the CISO loses control, and the company is at risk.
CISOs can protect executives – and the company – in their personal digital lives in a way that is frictionless and doesn’t force executives to change their habits. Learn more about how BlackCloak can help CISOs extend protection to their executive’s digital life and travel, so they, their families, and the organization are protected 24×7.