If you’ve received a message from your boss requesting a gift card, it’s probably a phishing attempt. “We’re seeing a rise in gift card scams,” says Conrad Bell, Chief Information Security Officer at C Spire. “Hackers send people emails or text messages in which they pretend to be a supervisor or a senior executive. They trick employees into buying gift cards and sending them the activation codes.” Once the codes are sent, the money is gone.
According to the Federal Trade Commission, nearly 40,000 people reported losing $148 million in gift card scams in 2021. And it’s only getting worse in 2022.
“Remember,” says Bell, “Your boss does not need gift cards.” And if anyone asks you to pay for something with a gift card, it’s a scam. Gift cards are for gifts, not payments.
How does the scam work?
STEP 1. The scammer scours the Internet for names and emails of a company's high-ranking supervisors. Corporate websites and LinkedIn are sources for a lot of this information. Job titles, telephone numbers and other important information about the company help disguise malicious requests.
STEP 2. The hacker then targets the supervisor's business account through a variety of tactics. They often spoof the supervisor’s email domain in a way that's difficult to notice. For example, email@example.com is changed to firstname.lastname@example.org. Sometimes they create a fake personal email address through Gmail, Yahoo or another service. They can also spoof a phone number from your area to send a text message.
STEP 3. The request is sent to an employee, asking them to buy gift cards for a random reason and send the gift card numbers and PIN code back via email or text.
What should you do?
- If you get a message from a colleague asking you about gift cards, reach out to the sender in a separate email or call them to check if they actually sent the request.
- Do not reply to the email or use any contact information provided in the email. Attackers will often provide fake numbers or email addresses that they control.
- If you discover the email is a phish, report it to your manager and reportfraud.ftc.gov