Coffee Lovers Warned of New Starbucks Phishing Scam – Source: www.infosecurity-magazine.com

A wave of emails masquerading as Starbucks offers have been circulating, promising coffee drinkers a free Starbucks Coffee Lovers Box.

Action Fraud, the UK’s national fraud and cyber reporting center, said it has received over 900 reports about the scam in the past two weeks.

The emails contain malicious links designed to steal personal and financial information or download malware onto personal devices.

Commenting on the high volume of reported emails, David Spencer, Director of Technical Product Management at Immersive Labs, said: “The aim is maximum profit, so it’s a numbers game. The more targets cybercriminals reach, the more clicks they’ll get.” 

Mike Britton, CIO, Abnormal Security, told Infosecurity that the cost of executing a phishing scam such as this is very minimal.

“It simply requires them to create an email that looks similar to a real one from Starbucks and a fake landing page, which they’ll use to steal credentials. From there, they’ll have access to the Starbucks account, plus any other accounts that use the same login credentials. Attackers can quickly send out millions of malicious emails and even if only a tiny fraction of the recipients fall victim, it’s more than worth their time and effort,” Britton noted. 

Speaking to Infosecurity about this scam, Javvad Malik, Lead Security Awareness Advocate at cybersecurity firm KnowBe4, said: “Scammers will impersonate well-known brands because familiarity breeds trust. The mind-games are quite cunning as it relies on how much trust we place on well-known brands.”

Organizations like Starbucks will seldom, if ever, request sensitive information via email, Malik noted. A healthy level of skepticism towards offers that seem too good to be true is a good line of defense.

Earlier in 2024, KnowBe4 highlighted a scam relating to a fake Starbucks Coffee Gift offer.

The email stated that a “friend” had made an order at the coffee company and is now planning to make a “special gift” for the email’s recipient.

In this instance, the malicious attachments hid a variant of the banking Trojan ZeuS, directly attached without any attempt to hide. It would install itself, if opened, as a hard-to-remove rootkit. 

Malik highlighted that scams like this typically contain three main parts. First, establishing credibility or authority, this can be via impersonating brands or claiming to be someone you know, like your organization’s CEO. Second, to invoke an emotional response, like the rush of winning a prize. Finally, creating a sense of urgency is key, for example making the offer time limited.

In these coffee-related scams, Spencer  said to get clicks and details, attackers send the email when people are likely craving coffee and not fully alert. For example early in the morning. 

Malik said: “People should look out for these tactics and when in doubt, report it.”

Action Fraud encourages people to forward suspicious emails to its Suspicious Email Reporting Service (SERS) at reporting@phishing.gov.uk.

Over 32 million phishing emails have been reported to SERS since the campaign launched in 2020 by the National Cyber Security Centre (NCSC) and the City of London Police. Almost 11,611,400 reports were made to SERS in 2023, up from 8,074,200 reports in 2022.