Skip to main content
Skip to article content

Gift Card Scams: The CEO Fraud Tactic That Drains Businesses One Card at a Time

By SO Email Security5 min read estimated reading time

Gift card scams are the #1 BEC cash-out method. Learn how CEO fraud gift card attacks work, real cases, detection checklists, and prevention steps backed by FBI and Proofpoint data.

email securityBECgift card scamCEO fraudphishingbusiness email compromisesocial engineeringcybersecurity

Gift Card Scams: The CEO Fraud Tactic That Drains Businesses One Card at a Time

What Is a CEO Gift Card Scam?

A CEO gift card scam is a Business Email Compromise (BEC) attack where a criminal impersonates a senior executive, typically the CEO, and emails an employee with an urgent request to purchase retail gift cards. The employee buys the cards, shares the serial numbers and PINs, and the attacker redeems the value within minutes. In Q1 2024, gift card schemes represented 37.9% of all BEC incidents. The FBI reported $2.7 billion in total BEC losses in 2024.

How Is a Gift Card Scam Defined in Cybersecurity?

A gift card scam is a subcategory of Business Email Compromise classified by the FBI as a form of CEO fraud. The attacker spoofs or compromises an executive's email address and sends a socially engineered message requesting that an employee purchase gift cards from common retailers such as Amazon, Google Play, Apple, or Target. The employee is asked to send back photographs or transcriptions of the card numbers and PINs.

Unlike wire transfer BEC, gift card scams require no banking credentials, no account numbers, and no complex money laundering infrastructure. Gift cards function as untraceable, instant cash equivalents. Once the codes are transmitted, the funds are gone.

Proofpoint identifies authority and urgency as the two primary psychological levers that make gift card scams effective. Employees comply because the request appears to come from the highest authority in their organization and carries an implied deadline. Proofpoint blocks over 15,000 BEC imposter messages per business day, approximately 4 million per year. (Proofpoint: Understanding BEC Scams, Gift Card Scams)

Why Should Organizations Care About Gift Card Scams?

The financial and operational impact of gift card BEC is severe and growing.

BEC was the second costliest internet crime category in 2024, with adjusted losses exceeding $2.7 billion according to the FBI's Internet Crime Complaint Center (IC3) annual report. Between 2022 and 2024, cumulative BEC losses reported to IC3 reached nearly $8.5 billion. Gift card requests accounted for 37.9% of all BEC incidents in Q1 2024, making them the single most common BEC cash-out method by volume. An estimated 70% of organizations experienced at least one BEC attempt in 2024. BEC attacks rose 15% in 2025 compared to the prior year. Over 65% of BEC sender addresses use free webmail services such as Gmail, making technical attribution extremely difficult.

Gift card scams succeed at scale because attackers trade smaller payoffs for higher success rates. Many victims never report incidents because individual losses appear minor, creating a significant gap between actual and reported damages. The FBI notes that real estate, legal, medical, distribution, and religious organizations are among the sectors most frequently targeted. (FBI IC3: Business Email Compromise)

How Does a CEO Gift Card Attack Work Step by Step?

The attack follows a consistent, repeatable sequence.

Step 1: Reconnaissance. The attacker researches the target organization using LinkedIn, corporate websites, and social media. They identify the CEO's name, the company's email format, and a suitable target employee, often someone in administration, HR, finance, or an executive assistant.

Step 2: Email spoofing or compromise. The attacker creates a lookalike domain (substituting "company.com" with "cornpany.com," for example) or compromises the actual executive email account. Free webmail accounts are used in over 65% of BEC attacks.

Step 3: The urgent request. The target employee receives what appears to be a confidential, time-sensitive message from the CEO. Common pretexts include team rewards, client appreciation gifts, charitable donations, or holiday bonuses. The message emphasizes secrecy and speed.

Step 4: Purchase and transmission. The employee purchases gift cards using a corporate card or personal funds and sends photographs or typed transcriptions of the serial numbers and PINs back to the attacker via email or text message.

Step 5: Instant redemption. The attacker redeems or resells the gift card codes within minutes. Unlike wire transfers, gift card redemptions are nearly impossible to reverse, trace, or recover.

What Is a Real Example of a CEO Gift Card Scam?

Proofpoint documented one of the most significant BEC operations in its 2023 report on top BEC scams. A criminal group known as the "CEO Fraud Gang" used sustained executive impersonation to steal $40 million from a single company. The attackers sent spoofed emails from fabricated executive accounts, manufactured urgency across multiple departments, and exploited employees' natural tendency to comply with leadership requests. The case demonstrated that even organizations with established security programs remain vulnerable when human trust is weaponized at scale. (Proofpoint: Top BEC Scams)

In a separate FBI-documented pattern, BEC gift card complaints surged from just a handful in 2017 to over 1,164 complaints accounting for more than $1 million in losses by August 2018, with over 90% of those complaints filed in a five-month window. (FBI: BEC Gift Card Fraud)

How Can You Detect a Gift Card Scam Email?

Use this checklist to evaluate any internal request involving gift cards:

  • The email comes from an unusual, slightly altered, or external email address
  • The sender asks you to keep the purchase confidential or secret
  • The message conveys unusual urgency ("I need this handled within 30 minutes")
  • The request bypasses normal procurement or approval workflows
  • You are asked to reply to a different email address than the one displayed
  • The sender discourages phone calls or in-person verification
  • You are asked to share gift card serial numbers or PINs via email, text, or messaging app
  • The pretext involves rewards, bonuses, donations, or client gifts

A single "yes" to any of these items should trigger immediate verification through an independent communication channel.

What Steps Prevent CEO Gift Card Scams?

Organizations can significantly reduce their exposure through layered policy, technology, and training measures.

Establish a gift card purchasing policy. Formalize a rule that no employee may purchase gift cards based solely on an email request, regardless of the sender's apparent seniority. This single policy eliminates most gift card scam attempts before they begin.

Mandate out-of-band verification. Require a phone call or in-person confirmation for any financial request received via email. The FBI specifically advises that businesses should not rely on email alone to validate fund transfer or purchase requests.

Deploy email authentication protocols. Implement SPF, DKIM, and DMARC to reduce the likelihood of successful domain spoofing. These controls make it significantly harder for attackers to forge internal email addresses.

Use AI-powered email security tools. Behavioral analysis tools that detect anomalies in sender patterns, message tone, and request context add a critical detection layer. Solutions that process email data locally on user devices offer additional privacy protection by keeping sensitive communications off external servers.

Conduct regular security awareness training. Run simulated BEC exercises that include gift card request scenarios. Organizations with consistent training programs demonstrate measurably lower BEC success rates across all attack types.

Report incidents immediately. File complaints with the FBI's Internet Crime Complaint Center at ic3.gov. Early reporting improves the chance of partial fund recovery and helps law enforcement identify emerging threat patterns.

Gift card scams succeed not because of technical sophistication, but because they exploit human trust and organizational hierarchy. Every employee with an email address is a potential target. The most effective defense combines clear policies, verification protocols, and email security tools that detect threats before they reach the inbox.

AI-powered protection, zero data collection. That's the Ṣọ promise.

#EmailSecurity #BEC #GiftCardScam #CEOFraud #Cybersecurity #PhishingProtection #SoEmailSecurity