Everybody loves a giveaway.

No one likes a giveaway that’s actually a scam.

That’s what we found in a new hacker-led campaign.

The idea sounds nice: A teacher emails a school community, notifying them that they are looking to give away their late father’s piano. The subject indicates that it’s free.

The hacker wants to give the piano to a loving home. Who wants a high-quality, free piano?

Of course, there’s more than meets the eye and the real aim is to garner shipping fees from the recipient.

In this attack brief, researchers at Avanan, a Check Point Company, will discuss how a quaint seeming email is actually a pretense to steal money. 


In this attack, hackers are spoofing a school employee, in this case, a teacher, and claiming that they have a free piano to give way.

  • Vector: Email
  • Type: Business Email Compromise
  • Techniques: Social Engineering
  • Target: Any end-user

Email Example #1

This email, sent via BCC, is sent to thousands of recipients. The campaign, though, starts earlier, by targeting teachers at high schools or colleges in credential harvesting campaigns. Once the credentials are stolen, then the hackers can send emails asking to take a piano off their hands. Once an interested party texts the number provided, they will find that taking the piano comes with a shipping fee of around $500. 


This email is a great example of social engineering. Should a recipient want a piano, it’s an appealing option. Who says no to free, especially when it takes the piano off the hands of a grieving person? 

Of course, there’s a catch, and that’s where the hacker strikes. Once the conversation is taken off email and to text message, the recipient will find that the hacker demands a shipping fee of about $500.

This campaign is interesting for a few reasons. For one, it starts way before the email is sent. Hackers are targeting teachers at high schools and universities. They are sending standard credential harvesting campaigns. Once they steal the credentials of the teacher, they can begin sending these emails to thousands of recipients at a given school. Sent via BCC, it’s an easy way to send a message to thousands. 

Though the end-user has to go through a few steps to accept the piano, it’s a worthy try with low risk for the hacker. They can easily send it to thousands. All they need is one person to say yes. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Always check reply-to addresses to make sure they match
  • If ever unsure about an email, ask the original sender
  • Be wary about emails that ask to continue the conversation via text message or WhatsApp