There is a massive gift card scam across many industries including finance, supply chain, and retail. These attacks are coming through phishing campaigns, which are on the rise.
Remember: gift cards offered via SMS text messaging are an instant red flag. Be vigilant during the holidays with these key steps.
View all our fraud resources here.
How to avoid gift card scams
- If you receive a text offering a gift card from a number or name you recognize, call them and verify that the person did, in fact, send a gift card.
- Do not click on the gift card link until you have verified it is real.
- There should be 16 digits and a pin number associated with all gift cards; if you do not receive this, it is a fraud attempt.
- Provide education and training for employees on how smishing/phishing scams work, how to identify them, and how to report them.
- Ensure there is a mechanism and process for employees to report smishing/phishing attacks.
- Encourage employees to be cautious about sharing sensitive information, including login credentials, when communicating via phone or web-based programs, and to not click on suspicious links. Requests for sensitive information should be verified through alternative, approved methods. Urgent requests via SMS should be treated with caution.
- Require multi-factor authentication on as many accounts and login credentials as possible. When practical, use phishing-resistant authentication options.
- Employ anti-virus and anti-malware solutions and make sure they are updated regularly.
- Enforce a strong password policy, such as requiring strong and unique passwords for all password-protected accounts, employing lock-out rules for failed login attempts, restricting the reuse of passwords, and requiring the secure storage of passwords.
- Consider using network and end-point SMS filtering and anti-phishing tools.
- Implement security monitoring tools that log network traffic to establish baseline activity and enable detecting and addressing abnormal network activity, including lateral movement on a network.
- Enforce the principle of least privilege throughout the organization’s network. Account privileges should be clearly defined and regularly reviewed and adjusted as necessary.
- Maintain and enforce a Bring Your Own Device policy (BYOD). Provide education and training to employees on the BYOD policy.
- Free phishing guidance: Stopping the Attack Cycle at CISA Phishing Guidance www.dhs.gov
Gift card phishing attacks are one of the most common ways to target people during the holidays. Be more aware, slow down, and use discernment. When in doubt, reach out, report, and ask for help before you click on anything.
