4.7/5

Customers rate us on G2

You're Not My Supervisor!
Researching My Own New Starter Scam

CategoryBehind the Exploit

ByOliver Simonnet

Date27 March 2025

Read time10 minutes

Back to Blog

TLDR

Earlier this year I joined the team at CultureAI, and like many, I shared the news on LinkedIn. Within weeks, I found myself at the receiving end of multiple phishing emails impersonating our CEO designed to exploit new employees. But rather than ignoring them, I thought it could be fun to play along, see where the rabbit hole led, and deep dive into the world of BEC and Gift Card scams.

A New Starter’s Nightmare

Imagine it’s your first week at a new job! You’re eager to impress and an urgent email from the “CEO” lands in your inbox. The big boss needs you to do a quick favour and purchase several gift cards for “customer appreciation handouts”. Before you know it, you’re exchanging WhatsApp messages and grabbing gift cards from the shop. Only later do you realise you’ve been scammed by an attacker.

This scenario is alarmingly common, as scammers target new starters, exploiting their willingness to please and comply with authority. They’re not afraid to target cybersecurity professionals either, as I found myself receiving multiple new starter phishing emails when I joined CultureAI.

So, inspired by my own attackers, I decided to explore how these phishing scams work, why gift cards are used, and why WhatsApp has become their go-to tool.

How are New Starters Identified

On the 13^th of January 2025 I publicly announced my new position as Lead Cybersecurity Researcher at CultureAI. At the same time, scammers were ready, scraping LinkedIn for fresh targets in their ongoing new starter campaigns.

Having worked in cybersecurity for a while, I know that anything we share online can be leveraged by attackers. But how do scammers identify new employees, craft believable pretexts, and send phishing emails so quickly - sometimes before you've even accessed your corporate email account?

It may seem as though scammers are monitoring you personally, but this is unlikely to be the case. Instead, they use legitimate commercial lead generation services combined with automated tools that scan social media for job updates and profile changes. These tools collect names, job titles, and company details, making it easy to generate probable corporate email addresses (e.g., first.last@company.com) for the initial contact phase of their attack.

With access to this information, attackers can create convincing emails that impersonate senior members of the team to pressure new starters into complying with their requests.

The Phishing Emails Arrive

When I joined the company, I quickly received five emails claiming to be from our Founder and CEO, James Moore. They weren’t exactly sophisticated - and in this case were blocked - but they were interesting and followed classic phishing tactics: brevity, urgency, and an attempt to catch the recipient off guard. Here is one example:

From: James Moore <domainoutlooks@gmail.com>
Subject: VERY IMPORTANT!!!

HEY Oliver

Do you have a minute? I'm tied up in a conference call meeting and there 
is something I would want you to do requiring swift action. Kindly send 
me your whatsapp number here so i would brief you on what to do,

THANKS

An urgent message from a high-ranking individual and a request to move the conversation to WhatsApp? That was textbook phishing. While I personally recognised this, many new employees unfamiliar with internal processes could easily fall for such an attack. Especially during that initial timeframe where you feel under pressure starting a new role.

In addition to the above, I also received similar emails from:

contact@homehealthbilling.com
hello.serviceswebcareline@gmail.com
officebox7261@gmail.com
omowaleidris709@gmail.com

Engaging with the Scammers

To investigate, I grabbed a new SIM card and responded as though I had taken the bait. My goal was to see what the attackers were after. Would they send a malicious payload? Try to extract credentials? Something more elaborate and interesting?

To: domainoutlooks@gmail.com
Subject: RE: VERY IMPORTANT!!!

Hey James

Sorry. Just seen these emails.

Back from holiday now though. Dunno if you got what you were after 
sorted but my WhatsApp is:

[...MOBILE...]

Cheers,
- Ollie

Within minutes I received... the classic Apple Gift Card scam (Typical!)

Once I moved the conversation to WhatsApp, the scammer - still impersonating James - told me they needed me to purchase [Apple] gift cards immediately as handouts for an urgent presentation. Disappointingly predictable, but an important reminder that simple financial scams remain prevalent:

This wasn’t the sophisticated cyber-espionage attempt I wanted to dig into, but let’s see what we can learn from this.

The Bigger Picture: Why do this?

I am fortunate enough that I can recognise these types of attacks, allowing me to go into the exchange willingly with my eyes wide open. However, many aspects of these attacks may not be obvious to a large percentage of victims, and targeted users might wonder why scammers would even operate in this way?

They’re organised

You might assume that scammers are just one person sat with a phone somewhere sending emails and making calls, hoping for the best. But this is not the case at all. These attacks are often run by well organised criminal networks operating like a regular business.

In 2019, research by Agari found that the Nigerian BEC group “London Blue” consisted of multiple divisions, including divisions for lead generation, social engineering / phishing, financial operations, and HR.

In a 2021 Europol found that a BEC network they dismantled operated with a "pyramid structure", where members specialised in different tasks. This included computer "experts" for creating phishing emails and fake domains, impersonators to handle victim communications, recruiters to manage money mules, and money-laundering / crypto experts to convert their proceed.

Why target new starters?

You might assume that a new starter’s eagerness to make a good impression increases their likelihood of falling victim to social engineering attacks designed to manipulate them into taking quick, unquestioned actions. And you’d be right!

A 2025 report by keepnet found that new starters were 44% more likely to fall victim to phishing and social engineering attacks during their first 90 days at a new job. This is not surprising, as new starters are often unfamiliar with internal processes, making them more likely to comply with urgent requests from senior staff. Additionally, many new employees have yet to meet their colleagues, making it easier for scammers to impersonate others without raising suspicion.

Why use WhatsApp?

WhatsApp is an incredibly popular messaging platform, with 79% of internet users aged 16-65 in the UK alone using it regularly. This widespread use makes it a highly attractive tool for attackers. A 2022 data leak exposed 500 million WhatsApp phone numbers, making it even easier for attackers to target WhatsApp users directly.

But why would attackers seek to shift communication from email to WhatsApp after establishing initial contact? There are two key reasons:

First, as discussed, many criminal groups operate with dedicated teams responsible for specific tasks. One team might focus on sending phishing emails, whilst another handles the actual scam itself. If the phishing team succeeds, the victim can be handed off to a "closer" who can orchestrate the main scam via WhatsApp.
Second, switching to WhatsApp provides end-to-end encryption, and helps attackers maintain access to their targets. Corporate will be monitored, may trigger security alerts, or become blocked after suspicious activity is detected. WhatsApp provides an unrestricted and direct line of communication to the victim, reducing the risk of losing contact mid-scam.

Why Gift Cards?

Historically, Business Email Compromise (BEC) scams primarily focused on fraudulent bank transactions. However, over the years scammers have increasingly turned to gift cards as their preferred method of fraud, with the gift card now being a signature for BEC. This initial shift was observed between 2017 and 2018, where FBI reported a huge 1,250% increase in gift card related BEC scams, with now nearly two-thirds of all reported BEC attacks leverage gift cards.

Unlike traditional bank transactions, gift cards offer anonymity, are difficult to trace, and can easily be resold or redeem. Once the serial numbers are shared, the funds are virtually irretrievable and can easily be sold locally or via cryptocurrency exchanges. This ability for criminals to have a fast, untraceable payout ensures that the gift card scam isn’t going anywhere anytime soon.

Even now, these scams continue to rise. In 2023, the FBI’s IC3 report outlined a sharp surge in BEC-related losses, reaching $2.94 billion - a staggering 58% jump from $1.87 billion in 2020. Furthermore, a 2024 report by the Better Business Bureau found an additional 50% increase in gift card fraud compared to 2023.

Defending Against These Attacks

Phishing and social engineering scams aren’t going anywhere and will continue to evolve. Awareness training is not enough, it is crucial that organisations adopt a multi-layered defence strategy, including:

Mindset change:

Be sceptical of urgent requests:
If your “CEO” is asking for gift cards via WhatsApp, something is wrong.
Verify unusual requests through a separate channel or a trusted colleague.

Secure Your Online Presence:

Limit the amount of personal information shared in social media posts.
Restrict your social media privacy settings to limit who can see your updates and personal information.

Implement Technical Controls:

Configure DMARC, SPF, and DKIM to prevent email spoofing.
Deploy email filtering rules to flag impersonation attempts.

Adopt Human Risk Management (HRM) Solutions:

Adopt HRM technologies that detect and intervene with attacks in real-time.
Utilise AI-driven security solutions that assess the context and intent of communications.

Conclusion

This phishing campaign reminded me just how quickly and easily attackers exploit publicly available information to launch targeted attacks. By leveraging job announcements and impersonating authority figures, they rapidly create scams designed to pressure new unsuspecting employees into compliance.

The increasing shift to WhatsApp highlights an evolving approach to bypassing security controls, while the continued use of gift cards demonstrates how attackers prioritise low-risk, high-reward methods, even in a world where cryptocurrency scams could yield higher returns.

Technical controls are essential, but they must be paired with proactive Human Risk Management (HRM) technologies. Organisations must prioritise safeguarding of new employees before they fall victim to these evolving and persistent cyber threats.