Pratum Blog

Best Buy Email Gift Card Scam

Gift card phishing campaigns are on the rise. These scams can be believable and tricky to recognize until it’s too late. Being informed on how this type of scam works will keep you better protected and prevent you from saying: “I can’t believe I just lost $1,000! How could I have fallen for something like this?”.

Emily is one example of falling victim to gift card phishing. Trouble started when she received an email from her company’s CEO requesting a favor. The email stated that he wanted her to get five (5) $200 Best Buy™ gift cards and send the codes to him within an hour. It also stated that she must reply via email only, because he was headed into a meeting. Most people do what their CEO asks, so Emily went to Best Buy™ to purchase the gift cards. After they’re paid for, she sends the codes to her CEO just as he asked. Emily thinks nothing of it and heads back to the office. She later bumps into the CEO and asks if he received her email with the gift card codes. Confused, he tells her that he doesn’t know what she’s talking about. With a sick feeling in her stomach, she realizes that someone was imitating her CEO, and she was just scammed out of $1,000.

Emily’s not alone; this has happened to countless people around the world. Phishers are typically skilled at finding an employee’s name and their position within the company, making them an easy target. They prey on their victims by sending an email posing as the CEO or any type of upper management requesting gift card codes. The email instructs the victim to “act quickly”, creating a sense of urgency and less time to notice it’s a scam. It will also require the victim to respond by email only, stating that the sender is headed to a meeting and won’t have phone access. The details of this email can create an illusion of a legitimate request, making it easy to fall for. Unfortunately, by the time it’s discovered that it was a scam, often times the hackers have already spent the money, and there is no way to get it back.

Take these steps to help prevent and protect yourself from email gift card scams:

  • Be Diligent: These emails may seem legit, but always take a moment to check the email address, wording, and general layout for any peculiarities that indicate it’s fraudulent.
  • Trust, but Verify: If you have suspicions about whether the email is valid, the best option is to verify with the sender in person or by phone. Don’t respond to the email!
  • Exercise Caution: Whatever happens, do not give out your phone number or other personal information. This allows the imitator to use your phone number for other reasons and could lead to worse crimes.

Scammers are highly skilled at targeting human nature, which is why many people fall for their schemes. Gift card phishing campaigns are hot right now, but phishers are creative, and it’s only a matter of time before a new campaign rolls out. The best way to protect yourself from scammers is by becoming informed. The more people who recognize their tactics, the less power they have.

Security Awareness Resources
Information Security Consulting

What comes to mind when you hear security consultant? Maybe you’re thinking it’s a person who gives professional advice about security. While that is correct, security consulting is more than just swooping into your organization, providing the best security recommendations, calling it good, and riding off into the sunset. The more likely scenario is that your consultant will become a vital asset to your organization.

Giving great advice is only a cog in the security consulting machine. At the core of the operation is the drive to ensure your organization and its information are protected. Consultants become a trusted ally as you navigate your way through enhancing your organization’s security program.

Upon conducting an initial assessment of your security risks, the consultant begins to design a shield that is tailored specifically to your security needs. Possessing expert knowledge, maintaining an unbiased perspective, and being relationship focused all have a large part in the creation of this shield.

The security threat landscape is ever-changing, and a security consultant will ensure that your program is continuously evolving, too. It’s no secret that a security breach can have immediate and lasting effects on your organization and having someone on your team whose job is to constantly be aware of your risk offers substantial peace of mind. When a security consultant is watching your back, you have the power to focus on future business objectives.

Spreading security awareness is crucial to the strength of your organization’s security shield. Each individual in your company has the ability to make an impact on security, both in good ways and bad. Security consultants not only bring awareness to your company’s risks, but to the implications of those risks as well.

Ultimately, security consultants want to empower organizations to conquer their security threats. Gratification comes when security consultants witness change happening in an organization. “For companies that turn the corner with a mass of security-aware employees, things start to change. It’s fun to be involved in that.” says Tony Schwarz, Security Consultant at Pratum.

It might be easy to assume that security consultants just give security advice. However, giving advice is only the tip of the iceberg when it comes to security consulting. The level of dedication they provide to your organization makes them a necessary extension of your team.

OT Security with ICS, HMI and SCADA

A couple of weeks ago, Pratum’s Digital Forensics Manager, Bryan Burkhardt and Information Security Analyst, Chad Porter, delivered an Operational Technology (OT) Security presentation to a group of manufacturers and utilities titled “Jurassic Part: Evaluating Security While Systems Age.” The presentation was not only captivating and amusing, it also encompassed a very important message: Converging IT and OT introduces information security risk, but your security can evolve.

“Evaluating Security While Systems Age”

What does it mean to evaluate security while systems age? As your equipment gets older, you may find yourself modifying industrial control systems (ICS) or shop floor automations. These adjustments can alter the amount of risk you face. It’s generally not the intention of a company to implement a design that poses a high security risk, but companies often don’t consider their potential risk exposure. Even if you haven’t made these changes, the threat landscape itself is constantly changing around you.

The premise of Bryan and Chad’s presentation was to shed light on what the risks are, how they can affect an organization, and how to prevent/mitigate the risks.

Are You at Risk?

When OT and IT merge, the potential to cut costs and increase efficiency flourishes. Rehabbing or expanding functionality of your shop floor might seem like a no-brainer, but don’t forget to consider the new security vulnerabilities they may introduce. These modern technologies require connections to a network, and installing connected devices means that you’ve just introduced an offline system to the internet, or you’ve just networked an independent machine with other (potentially more vulnerable) machines. With that comes risk that didn’t exist before.

Programmable Logic Controllers (PLC) are the workhorses of industrial automation. These simple computers help streamline manufacturing and reduce the demand on human capital. If hacked, a PLC can be manipulated to perform an undesirable task, causing damage to equipment or quality of production.

Human Machine Interfaces (HMI) are used to monitor and control machines. HMIs can be programmed to perform almost any function that can be controlled, or information that can be monitored, by a PLC. HMIs and PLCs work in tandem to operate machines. These pieces of equipment are integral in industrial control systems used in manufacturing and utilities operations. When connected to the Internet, HMIs are no longer protected by isolated systems, introducing greater exposure to attack.


In a competitive industry, there’s always a chance that external parties, such as competitors or nation states, might want to infiltrate your organization. Maybe they want to wreak havoc on your company, forcing a shutdown and loss of clientele. They might want to steal inside information and blackmail your organization with their findings. OT used in Public Services or utilities may see actors attempting to provoke terror or fear. There are numerous reasons your organization may be a desirable target.

The addition of new technology can help protect, or audit, an old system, but be mindful that it can also provide an entry point for bad actors. Once a PLC or HMI is connected to an unprotected or inadequately protected network, there is potential for it to be hacked and information lost/stolen. Likewise, if an attacker gains access to the network that’s connected to the HMI on your machine, they may be able to control and monitor that machine.

Risk doesn’t always originate from outside forces; there can be threats within the walls of your organization. Employees often inadvertently create risk through carelessness or misunderstanding. It might be as innocent as an employee needing to charge their phone, seeing an open USB port on a machine, plugging it in, and unknowingly creating an opportunity for the network to be scanned by outside parties. Leaving default configurations or not applying appropriate embedded security controls are other examples of how employees can unconsciously put your organization at risk.

Sometimes employees may be aware of their wrongdoing but continue due to self-interest. Perhaps an employee wants to leave work early on a given day, so they alter (hack) functionality to speed up production.

Then, there’s the bad apple employee who deliberately wants to create chaos. Let’s say you have an employee who wants time off but can’t get approval the conventional way, or they feel underappreciated. They could decide to disrupt production by hacking the network (this hack doesn’t have to be very complicated or technologically advanced), causing a machine to malfunction. Now they get their time off, or possibly fix the machine to become a hero and feel adequately appreciated. Employees continue to baffle management with the lengths they will go to get their way.

Only YOU Can Prevent OT Threats

If your OT technology has been compromised, whether by an external force or someone within your company, the consequences are the same. Your organization could face broken machinery, health and safety concerns, or legal implications (loss of client information or hazardous waste spills).

Every day that goes by without implementing proper OT Security measures is another day of increased security risk. If an incident does happen, it can be detrimental. The time, resources, and cost of rebuilding can not only hinder a company’s production but put an end to it completely.

Having the correct OT Security controls in place can shield your organization and its production immensely. Here are just a few things you can do to increase your organization’s OT Security:

OT Network Monitoring and Asset Discovery (SIEM Reporting)
  • Help identify the source of an attack by proactively implementing thorough event logging within your environment.
Network-based Security
  • Utilize firewalls to help segment and segregate access between and within OT and IT networks.
OT Security Professional Services
  • Defend your OT by proactively performing risk assessments, strategic planning, policy development, and architecture and design


Keeping up in today’s world requires interconnectivity. Adding a new vector of access to a piece of equipment will likely enhance your entire operation. However, without proper security you also enhance your vulnerability to threats. The key to success when converging OT and IT is to evolve your security practices to keep up with the ever-changing threat landscape.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.