The $500 Gift Card That Nearly Cost Millions: Understanding Executive Email Spoofing

When a Simple Request Becomes a Security Catastrophe

Imagine starting your new job, eager to impress the senior leadership team you've just met during your induction. An email arrives from the CEO requesting your help with a simple task, purchasing $500 in gift cards for an urgent staff recognition initiative. What could go wrong?

This scenario isn't hypothetical. It's a true case study from a technology company that demonstrates how a cascade of preventable failures can expose organisations to significant financial and reputational harm. More importantly, it highlights why email security cannot be an afterthought in today's threat landscape.

The Anatomy of a Preventable Breach - The Sequence of Failures

Failure One: Lack of Verification

A newly inducted staff member received an email apparently from the CEO, requesting the purchase of gift cards. Despite having only recently met the executives, the employee did not question why a more senior staff member in the office had not been selected to carry out the task. In environments lacking established security awareness, the desire to appear helpful to senior leadership often overrides critical thinking.

Failure Two: Inadequate Financial Controls

The staff member approached the CFO to ask how to purchase the requested gift cards. Rather than questioning the unusual request or verifying its legitimacy, the CFO provided the employee with a company credit card. This represents a critical breakdown in financial governance and authorisation processes.

Failure Three: Compromising Payment Credentials

The employee then emailed the gift card details, including PIN numbers, to the fraudulent email address. At no point did the employee question why the CEO would ask them to purchase the gift cards rather than using the corporate company credit card. The company’s credit card credentials were now in the hands of criminals.

The Root Cause: Systemic Security Deficiency

This incident was not caused by sophisticated hacking or advanced persistent threats. It resulted from fundamental gaps in organisational security posture:

• No dedicated security oversight (CISO, IT Security Manager, or equivalent role)
• Absence of security policies and procedures
• No cybersecurity awareness programme during induction or ongoing training
• Limited technical controls beyond basic firewalls
• Lack of email authentication mechanisms
• No verification procedures for unusual financial requests

The organisation operated under the dangerous assumption that "we have firewalls, so everything is fine, a mindset that leaves significant attack surfaces completely unprotected.

Understanding the Threat Landscape

Types of Email-Based Attacks

1. Phishing: The Scatter-Gun Approach

Phishing campaigns cast a wide net, sending fraudulent emails to large numbers of recipients simultaneously. These emails typically impersonate:

• Banking institutions
• Credit card providers
• Emergency services
• Taxation authorities (such as Inland Revenue)
• Vehicle reregistration authorities
• Technology service providers such as Norton, McAfee, Microsoft etc
• Company executives

The strategy relies on volume – even if only 1-2% of recipients fall victim, the campaign can be highly profitable for attackers. These emails often feature:

• Legitimate-looking logos and branding
• Urgent calls to action ("Your account will be suspended")
• Links to convincing replica websites
• Requests for credential verification
• Refunds and Subscription renewal

2. Spear Phishing: The Targeted Strike

Spear phishing represents a more sophisticated approach where attackers research their targets. Using information learned from:

• Company websites and staff directories
• LinkedIn and professional networking sites
• Social media profiles
• Previous data breaches
• Public business records

Attackers craft highly personalised messages that reference:

• Specific projects or initiatives
• Colleague names and relationships
• Recent company events or changes
• Industry-specific terminology

This personalisation significantly increases the success rate, as emails appear genuinely relevant to the recipient's role and context.

3. Business Email Compromise (BEC): The Executive Impersonation

BEC attacks specifically target business environments by impersonating executives or trusted business partners. The FBI's Internet Crime Complaint Centre consistently ranks BEC among the most financially damaging cybercrimes, with global losses exceeding billions of dollars annually.

Common BEC scenarios include:

• CEO requesting urgent wire transfers
• CFO authorising payment to new vendor accounts
• HR requesting employee personal information updates
• Executive requesting gift card purchases (as in our case study)

Red Flags: Identifying Fraudulent Emails

Even sophisticated attacks often contain telltale signs:

• Inconsistent sentence structure
• Grammatical errors unusual for the purported sender
• Spelling mistakes (particularly in sender names or company terms)
• Unusual formatting or fonts
• Lack of email signature or incorrect signature format

Technical Indicators:

• Domain mismatches: The text after the "@" symbol does not match official company domains
• Free email services: Executives using Gmail, Hotmail, Outlook.com, or Yahoo for business communications
• Display name spoofing: The displayed name appears correct, but the actual email address is different
• Suspicious reply-to addresses: Response emails directed to addresses different from the sender

Contextual Anomalies:

• Unusual urgency or secrecy
• Requests that bypass normal procedures
• Financial transactions outside established workflows
• Requests for personal information already held by the organisation
• Communication via unusual channels (e.g., executive suddenly using personal email)

The Technical Exploitation: How Attackers Make It Look Real

SMTP Open Relay: The Forgotten Vulnerability

One of the most dangerous technical oversights enabling email spoofing is the SMTP Open Relay. Understanding this vulnerability requires understanding how email systems work.

What is SMTP?

Simple Mail Transfer Protocol (SMTP) is the standard protocol for sending emails across the internet. SMTP servers are responsible for routing email from sender to recipient. Under normal, secure configuration, an SMTP server should only accept and relay emails from authenticated users or trusted systems.

The Open Relay Problem

An SMTP Open Relay occurs when an email server is configured to accept and forward emails from any source to any destination without authentication. This means:

1. Anyone can use the server to send emails
2. No credentials are required to relay messages
3. The emails appear to originate from the organisation's legitimate domain
4. Standard security controls may not flag these emails as suspicious

Why This Matters for Email Spoofing?

When an organisation has an improperly configured SMTP server, attackers can:

• Send emails that genuinely originate from the company's mail infrastructure
• Bypass basic email authentication checks
• Create emails that pass spam filters
• Make the "From" address completely legitimate at the technical level

In our case study, if the technology company had an SMTP Open Relay vulnerability, the fraudulent CEO email could have come through their own mail servers, making it technically indistinguishable from legitimate internal communications.

How Attackers Discover Open Relays

Cybercriminals use automated tools to scan the internet for mail servers, testing whether they accept unauthenticated relay requests. Once identified, these servers may be:

• Added to databases shared among criminal networks
• Used repeatedly for various fraud campaigns
• Exploited until the vulnerability is remediated

Email Authentication Failures: The Missing Safety Net

SPF (Sender Policy Framework) Deficiencies

SPF is a DNS-based authentication mechanism that specifies which mail servers are authorised to send email on behalf of a domain. Without proper SPF records:

• Recipients cannot verify whether an email genuinely came from your domain
• Attackers can easily spoof your domain to target your own staff or customers
• Legitimate emails may be marked as spam while fraudulent ones pass through

Conclusion: From Vulnerability to Vigilance

The $500 gift card incident could have resulted in far greater losses, potentially exposing the organisation to ongoing fraud, data breaches, or regulatory consequences. It serves as a stark reminder that email security is not merely a technical problem requiring technical solutions, but an organisational challenge demanding attention across people, processes, and technology.

New Zealand organisations face the same email-based threats as their international counterparts, but often with smaller security teams and more limited resources. This makes it even more critical to implement layered defences, foster security-aware cultures, and engage with local security expertise when needed.

The good news? Email security does not require unlimited budgets or large security teams. It requires commitment from leadership, basic technical hygiene, clear policies and procedures, and staff who understand the threats and know how to respond.

Do not wait for a major financial incident, it is a costly mistake. By the time the problem is recognised, the damage may already be done

Need Help Securing Your Email Environment?

At Liverton Security, we help organisations build robust defences against email-based threats. Our services include:

• Email security applications, MailAdviser and SmartGate, provide warnings and checks aligned with business best practices and customised for your business.
• LiveDMARC email policy definition verifying the sender authenticity and reporting tools.
• Email security assessments identifying vulnerabilities like SMTP Open Relay and authentication gaps
• Security awareness training tailored to your organisations
• Policy and procedure development aligned with NZISM, PSR, and international standards
• Incident response planning for email compromise scenarios
• Ongoing security advisory services for SMBs and local government

Contact Liverton Security for a confidential conversation about your email security posture and practical steps to strengthen your security defences.

About Liverton Security

Digital technology has greatly expanded opportunities for businesses, but has also introduced complex security threats that organisations cannot ignore. Protecting people, critical data, and entire organisations requires proactive and continuous security strategies.

As an influential and respected leader in global cybersecurity, Liverton Security specialises in helping businesses and government organisations neutralise evolving cyber threats in the digital age.