During this holiday season, there have been continued reports of gift card scams targeting New Jersey State employees and residents. In the above campaign, threat actors create free PenTeleData (ptd[.]net) email accounts to lure their targets in social engineering schemes. They use direct questions or phrases related to Amazon Prime to engage their targets in further conversation. The subject line displays “RE ; Check In [heart emojis]” to indicate a sense of trust and a reply to a previous conversation thread. If the target replies, the threat actors make an urgent request to convince them to purchase gift cards and then provide them with the gift card numbers and PINs on the back of them.

Threat actors exploit organizations that reward employees with gift cards by impersonating positions of leadership or authority within an organization. For example, threat actors impersonated a CEO to persuade the target to purchase gift cards from Apple, Target, and Sephora as employee appreciation gifts. In another campaign, they convinced the target to purchase 10 $500 Apple gift cards for purported employee gifts.

They often spoof or impersonate trusted contacts, such as religious leaders. In one report, threat actors claimed to be a priest to convince their target to buy six $25 Amazon gift cards for parish staff. Once the gift card numbers and PINs were sent to the threat actors, they requested an additional three $50 gift cards. However, the target realized it was a scam after noticing there were not that many staff members in the parish and the sender’s email address was not the priest’s legitimate email address. In another report, threat actors attempted to impersonate a pastor to help two women battling cancer. They requested the target to purchase Apple and Visa gift cards.

Threat actors also compromise accounts, such as Amazon, to purchase gift cards and then steal the funds. Several reports indicated losses of approximately $350 due to fraudulent purchases of Amazon and game play gift cards. They may also compromise social media accounts to convince the victim’s contacts or connections to purchase gift cards, such as $200 Sephora gift cards supposedly for a “friend in need.”

Threat actors also build trust in romance scams through social media platforms, such as Facebook, to scam their targets into purchasing Apple or Sephora gift cards, resulting in losses ranging from $200 to $2,500. They may threaten to make up stories or release screenshots in extortion or sextortion cases if the targets do not make payment in gift cards. Several reports indicated losses ranging from $600 to $3,000.

Requests or demands to purchase gift cards are unusual and typically portray a sense of urgency; therefore, they should be handled with increased suspicion. Gift cards allow threat actors to use the gift card’s funds as easily as cash without having the physical card. They are considered a payment method not linked to a specific person or entity and do not have the same protection as credit or debit cards. Therefore, victims typically cannot recover the money used for purchasing gift cards and subsequently suffer significant monetary losses.