Skip to main content
Skip to article content

The Gift Card BEC: How CEO Impersonation Stole From SMBs Last Year

By SO Email Security10 min read estimated reading time

The Gift Card Business Email Compromise scam is the most common BEC variant targeting small businesses, with the FBI tracking thousands of cases per year. The pattern is consistent: an attacker impersonates a CEO or executive over email and asks an employee to buy gift cards for a vendor, client, or fake reward program. This is the complete guide to the pattern, the verification protocol that stops it, and what to do if your team has already been hit.

business email compromiseBECgift card scamCEO impersonationexecutive impersonationsmall business email securitySMB phishingFBI IC3email fraud preventionfinancial fraudgift card BECvendor impersonation

The Gift Card BEC: How CEO Impersonation Stole From SMBs Last Year

What Is Gift Card BEC?

Gift Card BEC (Business Email Compromise) is a phishing variant where an attacker impersonates a senior executive (most often the CEO) over email and asks an employee to buy gift cards. The framing varies. Sometimes the request is positioned as a surprise reward for the team. Sometimes it's framed as a gift for a vendor or client. Sometimes it's a confidential thank-you for a board member. The structure underneath is always the same: someone with apparent authority asks someone with purchasing access to buy gift cards quickly and quietly, then send the codes back via email.

The FBI's Internet Crime Complaint Center (IC3) tracks thousands of Gift Card BEC incidents per year. Average losses run between $1,500 and $5,000 per incident, lower than wire fraud BEC but with much higher volume. For small businesses, Gift Card BEC is more common than every other variant of CEO fraud combined.

The pattern is one of the most consistently successful phishing techniques because it exploits four specific structural weaknesses in how SMBs handle small-dollar requests. This post walks through the pattern in detail, the seven elements that make it work, the verification protocol that stops it, and what to do if your team has already been hit.

Why Gift Card BEC Works So Well

Four structural reasons make Gift Card BEC the most common BEC variant for small businesses.

The dollar amounts are below standard verification thresholds. Most SMB finance protocols require dual approval for wire transfers over $10,000 or vendor payments over $5,000. Gift card requests typically come in at $200-$2,000 per ask, comfortably below those thresholds. The employee sees the request as routine spending, not a financial decision requiring escalation.

Gift cards are an irreversible payment method. Once a gift card code is purchased and the code is sent via email, the money is functionally gone. Unlike wire transfers (which can sometimes be recalled within the first 24-72 hours) or credit card payments (which can be charged back), gift card transactions cannot be reversed by the buyer's bank. The attacker converts the card balance to other forms within hours of receiving the codes.

The request is plausible because executives genuinely do this sometimes. Real executives occasionally do buy gift cards for team rewards, client thank-yous, or holiday bonuses. The request itself isn't suspicious on its face. An employee who has worked at a company for two years has likely seen a real version of this request at some point. The attacker exploits that prior legitimacy.

The verification step (calling the CEO) feels rude or unnecessary. When a CEO emails saying "drop everything and grab some gift cards for me, urgent," the employee's instinct is to comply quickly to avoid annoying the boss. Calling to verify feels like questioning the CEO's authority or wasting their time. This social friction is the exact dynamic the attacker is engineering.

The combination means Gift Card BEC converts at higher rates than almost any other phishing variant per email sent. A campaign that hits a hundred SMB employees might convert two or three. Each conversion produces $1,500-$5,000 in losses. The economics of the attack are highly favorable for the attacker.

The Seven Structural Elements

Every successful Gift Card BEC email shares the same seven structural elements. Recognizing them is the first defense.

Element 1: Impersonated authority. The sender purports to be a senior executive with authority to make purchasing requests. The display name matches the executive's exactly. The email signature matches their usual format. The writing voice approximates their tone (sometimes generated by training a language model on their public LinkedIn posts or interviews).

Element 2: A spoofed or lookalike email address. The sending domain is rarely the company's actual domain, because that would require the attacker to compromise an employee account first. Instead, the sender uses a personal-looking address (ceo.firstname@gmail.com), a lookalike of the company domain (ceo@companynarne.com with rn instead of m), or a domain registered yesterday that visually resembles the real one. Hovering over the sender name reveals the actual address, but few employees check.

Element 3: A "quick favor" framing. The request is framed as a personal favor or small task, not a formal procurement request. "Hey, are you in the office?" "Can you do me a quick favor?" "I need you to handle something for me confidentially." The casual framing positions the recipient as a trusted helper, not a transactional vendor.

Element 4: Time pressure that discourages verification. Every Gift Card BEC includes urgency. "I need this in the next hour." "Before the team meeting at 3pm." "Before I get on a flight." The urgency is calibrated to be tight enough to discourage calling for verification but not so tight as to seem absurd. Two hours is common.

Element 5: A confidentiality request. Most Gift Card BECs explicitly ask the recipient to keep the request confidential. "Don't mention this to anyone yet, it's a surprise." "Keep this between us until I announce it." "I don't want the rest of the team to know about this gift." The confidentiality framing prevents the recipient from asking colleagues whether the request seems legitimate, isolating them from the social verification network.

Element 6: A specific gift card brand and dollar amount. The request typically names a specific brand (Apple, Google Play, Amazon, Steam) and a specific dollar amount per card ($100, $200, $500), with a specific number of cards (often 5-10). The specificity creates the impression of a real, planned purchase. Apple gift cards are the most common ask because they're easy to liquidate on secondary markets and difficult to track.

Element 7: A request to send card codes via email or photo. The final step asks the employee to scratch off the gift card codes and send them via email, or to text photos of the codes. This is the critical handoff: once the codes are in the attacker's hands, the money is gone within minutes. Some campaigns ask for the receipts as well, to make the request seem more procurement-formal.

A real executive request for gift cards would typically include none of these elements stacked together. A real request goes through procurement processes, mentions specific recipients by name, doesn't include urgency, and doesn't ask for codes via email.

A Real-Looking Example

Here's a representative Gift Card BEC email, anonymized but matching the pattern thousands of SMB employees received last year.

Subject: Quick request

Hey,

Are you at your desk? I need your help with something quickly. We have a few clients I want to thank this week and I'd like to send them Apple gift cards. Can you pick up 10 cards at $200 each from the nearest Apple Store or Best Buy?

Once you have them, please scratch off the back and email me the codes. I'll process the reimbursement later this week. This is a surprise so please don't mention it to anyone else on the team.

Need to handle this before my flight at 4pm. Thanks for jumping on this.

[CEO Name] Sent from my iPhone

The email has all seven structural elements. Impersonated authority (the CEO's name). Spoofed sender (the actual address would be something like ceo.realname.work@gmail.com, not the company domain). Quick favor framing ("I need your help with something quickly"). Time pressure ("Need to handle this before my flight at 4pm"). Confidentiality request ("please don't mention it"). Specific brand and amount ($200 Apple gift cards, 10 cards = $2,000 total). Code-via-email handoff.

A finance employee receiving this email under normal Thursday-afternoon conditions has roughly a 2-3% chance of complying based on aggregated industry data. That conversion rate is what makes the attack economically viable.

The Verification Protocol That Stops It

A single verification habit prevents nearly every Gift Card BEC. The protocol has three parts.

Part 1: For any unusual financial request from an executive, call them directly using a phone number you already have, not a number provided in the email.

The phone call is the verification step the attacker is engineering you to skip. Five minutes of awkward conversation prevents thousands of dollars of loss. Use the phone number stored in your contacts from before the email arrived. Do not use any phone number provided in the email itself; attackers sometimes include their own number for "verification" calls.

If the executive isn't reachable by phone, escalate to a senior peer (CFO, COO, ops lead) who can also verify. The point is to get human voice confirmation through a channel the attacker doesn't control.

Part 2: If voice verification isn't possible, reply to the email asking a verification question only the real executive would know.

Examples: "Can you remind me which client you mentioned wanting to thank?" or "Should I use the same vendor we used for the team birthday gifts last quarter?" The attacker won't have specific context to answer correctly. Their response will be vague ("just any client" or "yes, that vendor is fine") or will pivot back to urgency ("just need this done quickly, please grab the cards").

If you don't get a context-specific answer, treat the request as fraudulent.

Part 3: Never send gift card codes via email or photo, regardless of the requester's authority.

This is the single most important rule. Even if the request is from a real executive, even if you've verified by phone, even if the request is genuinely legitimate, the practice of emailing gift card codes is bad security hygiene. Real legitimate gift card distributions go through procurement, get tracked formally, and reach recipients through secure channels (employee email systems, formal client gift programs, etc.). If a real executive ever asks you to email them gift card codes, the answer is "I'd be happy to help, can we set up a quick call to walk through the process so I can do this properly?"

The protocol takes ten minutes to learn and prevents most Gift Card BEC. Teams that have implemented it across procurement, finance, and admin staff report near-zero successful Gift Card BEC incidents.

What Makes Gift Card BEC Different from Wire Fraud BEC

Understanding the difference helps calibrate your defenses.

Wire fraud BEC targets bank wire transfers, often invoice-related ($10,000 to $5M per incident). The pattern usually involves vendor impersonation or invoice manipulation. The defense is the 5-Minute Verification Protocol we covered in our 5-Min BEC Verification Protocol post. Average losses are higher per incident but volume is lower.

Gift Card BEC targets small-dollar gift card purchases ($1,500 to $5,000 per incident). The pattern usually involves CEO/executive impersonation. The defense is the verification protocol above plus the rule that gift card codes never travel via email. Average losses are lower per incident but volume is much higher.

A small business should defend against both. The structural difference matters because the verification thresholds are different. Wire fraud requires escalation through finance; Gift Card BEC requires a verification habit at the individual employee level, because there's no formal process to escalate to.

What to Do If Your Team Has Already Been Hit

If you discover a Gift Card BEC within the first few hours, three immediate actions.

Action 1: Try to recall the gift cards through the issuer. Apple, Google Play, Amazon, and most major gift card issuers have fraud teams that can sometimes freeze unredeemed balances if reported within 24 hours. The recovery rate is low (typically 10-20% of cases) but the cost of trying is just a phone call.

For Apple gift cards: 1-800-275-2273 For Google Play: support.google.com/googleplay For Amazon: amazon.com/gp/help/customer/contact-us For Steam: help.steampowered.com

Action 2: Report to the FBI's Internet Crime Complaint Center (IC3). File a report at ic3.gov within 72 hours. Include the original phishing email (with full headers if possible), the gift card purchase receipts, and any communication with the attacker after the codes were sent. The FBI tracks Gift Card BEC patterns aggregate, and your report contributes to investigations even if individual recovery is unlikely.

Action 3: Notify your team and reset the verification habit. Send a clear, blame-free internal email explaining what happened, what made the request convincing, and what the verification protocol is going forward. The goal is to convert the incident into team-wide awareness, not punish the individual. Most Gift Card BEC victims feel ashamed and try to minimize the incident, which prevents the team learning the pattern. Open communication is the antidote.

If the loss is large enough to affect the business materially, consider engaging outside counsel and your business insurance provider. Some commercial insurance policies cover Gift Card BEC under cybercrime or social engineering riders.

How Ṣọ Catches Gift Card BEC

Ṣọ's email scanner runs the same checks above automatically, on every email, before you see it. Display name impersonation detection. Sender domain mismatch flagging. Lookalike domain pattern matching. Urgency language detection. "Quick favor" framing identification. Each signal contributes to a verdict that appears in your inbox before you have to make a decision about whether to comply with the request.

The Free tier includes basic threat scanning, phishing and spoofing detection, and dark web breach monitoring at no cost, no credit card, no time limit. For Gift Card BEC specifically, the Free tier covers the core detection layer.

For teams of three or more who handle finance or procurement, the Team tier adds shared admin policies and threat alerts across the team. When one team member receives a Gift Card BEC and reports it, the entire team gets a heads-up if a similar pattern hits other inboxes.

Don't let a fake CEO email cost your team thousands. Install Ṣọ in 2 minutes at soemailsecurity.com.

Frequently Asked Questions

How is Gift Card BEC different from regular CEO fraud?

Gift Card BEC is a specific subtype of CEO fraud (or executive impersonation) focused on the gift card payment method. Other CEO fraud variants include wire transfer requests, payroll redirect requests, vendor payment changes, and W-2 information requests. Gift Card BEC is the most common variant by volume because the dollar amounts stay below standard verification thresholds.

Why don't standard email security filters catch this?

Many do, but the false negative rate is higher than for other phishing types because the email content itself often contains no malicious links or attachments. The fraud happens entirely through the human conversation. Filters that rely on link analysis or attachment scanning miss it. Filters that analyze sender reputation, display name spoofing, and request patterns catch more, but only if those layers are configured. SMB-grade email security often skips these layers due to false positive concerns.

Can my company recover the money through bank fraud protections?

Usually no. Bank fraud protections (Reg E in the US, equivalent regulations in Canada and EU) cover unauthorized transactions. A Gift Card BEC purchase is an authorized transaction made by the legitimate cardholder under fraudulent pretenses, which is typically not covered. Some commercial insurance policies cover this under social engineering or cybercrime riders. Check with your insurance broker.

What if the fraudulent email actually came from the CEO's compromised account?

If the attacker has access to the CEO's actual email account, the email comes from the real domain and sender, defeating most domain-based detection. This is a more serious incident requiring immediate IT response (password reset, MFA enforcement, audit log review for the executive account). The verification protocol still works because phone confirmation reveals that the CEO didn't send the message even when their email account did. This is one reason why phone verification is more reliable than email-based verification.

Are remote/hybrid teams more vulnerable?

Yes, somewhat. In-office teams have lower Gift Card BEC success rates because the employee can walk over and ask the CEO directly. Remote teams require explicit phone or video calls for verification, which adds friction and feels more disruptive. The defense for remote teams is to normalize the phone verification habit so it doesn't feel like an interruption.

What about Gift Card BEC over text or chat platforms?

The same pattern increasingly hits SMS, WhatsApp, Slack, Microsoft Teams, and other chat platforms. The structure is identical: impersonation, urgency, confidentiality, gift card request. The defense is the same: verify through a different channel before complying. Text-based BEC has lower per-incident loss rates than email-based BEC because of message length constraints, but volume is growing.

Executive Summary: TL;DR

Gift Card BEC is the most common BEC variant for small businesses. The pattern is consistent: an attacker impersonates a CEO or executive over email, frames a "quick favor" gift card request, applies time pressure and confidentiality, asks for specific brand and amount, and requests codes via email. Average losses are $1,500-$5,000 per incident; the FBI tracks thousands per year.

Seven structural elements make the attack work: impersonated authority, spoofed sender, quick favor framing, time pressure, confidentiality, specific brand/amount, and code-via-email handoff. Recognition is the first defense.

A three-part verification protocol stops nearly every Gift Card BEC: (1) call the executive directly at a number you already have, (2) reply with a context-specific verification question if calling isn't possible, (3) never send gift card codes via email regardless of who requests them.

For teams that have already been hit: try to recall through the gift card issuer within 24 hours, file an IC3 report, and run a blame-free team debrief to install the verification habit.

For automated detection at the email layer, Ṣọ's Free tier covers Gift Card BEC pattern detection. Install in 2 minutes at soemailsecurity.com.

Five minutes of phone verification beats five thousand dollars of fraud.

Sources: FBI Internet Crime Complaint Center 2024 Annual Report, APWG Phishing Activity Trends Report, Verizon 2024 Data Breach Investigations Report.

Encrypted in transit. Processed in seconds. Deleted immediately.