THE $74,000 EMAIL THAT LOOKED COMPLETELY NORMAL
Gift card scams cost businesses billions annually. Here's the simple two-channel rule that stops them.
Last month, an executive assistant in Chicago bought $2,400 in Apple gift cards for her CEO.
She scratched off the backs, photographed the codes, and emailed them over.
Except it wasn't her CEO.
The email came from "MichaelT.CEO" at a Gmail address. Not the company domain. She didn't notice because the display name looked right and the request felt urgent.
This happens 15,000 times per day.
That's how many CEO impersonation emails Proofpoint blocks every 24 hours. And those are just the ones they catch.
Why gift cards?
Here's what makes this scam so effective: gift cards feel low stakes.
Wire transfers trigger alarm bells. Accountants get involved. There's paperwork.
A $500 Target card? That's just a quick favor for the boss.
Scammers understand psychology better than most marketers. They know that lowering the perceived stakes increases compliance.
According to FBI data, 66% of Business Email Compromise attacks now use gift cards as the payment method.
The average loss per incident? $74,723.
That's not a typo. Attackers don't ask for one card. They ask for five. Then ten. Then they come back next week with another "urgent client situation."
The two-channel rule
We recommend what we call the two-channel rule.
Any financial request that comes through email gets verified through a different channel.
Text. Phone call. Slack. Walk down the hall.
If someone emails asking for gift cards, money, or sensitive data, I confirm through a second method before acting.
Scammers control one channel. They rarely control two.
This works because BEC attackers rely on speed and single-thread communication. The moment you pick up the phone and call your actual CEO, the scam falls apart.
The red flags
Even before you verify, watch for these patterns:
Urgency language. "ASAP," "immediately," "don't delay." Real executives rarely write like their hair is on fire.
Secrecy requests. "Keep this between us," "don't mention this to anyone." Legitimate business doesn't require hiding things from your own team.
Gmail or personal addresses. Your CEO has a company email. If they're suddenly emailing from a personal account about company money, something is wrong.
Avoiding calls. "I'm in meetings all day, just handle it via email." Scammers can fake emails. They can't fake your boss's voice on a phone call.
Your one takeaway
Before you buy, transfer, or send anything based on an email, verify through a different communication channel.
Takes 30 seconds. Could save you thousands.
The best defense against sophisticated fraud isn't sophisticated technology.
It's a quick phone call.
Ṣọ Email Security detects gift card scams and CEO impersonation attempts before they reach your inbox. Learn how we protect your team.