Phishing & Social Engineering
What Is a Gift Card Scam?
A gift card scam (in the Business Email Compromise context) is a social engineering attack in which an attacker impersonates a CEO, executive, or other authority figure via spoofed or compromised email and manipulates an employee into purchasing retail gift cards and sending back the card numbers...
A gift card scam (in the Business Email Compromise context) is a social engineering attack in which an attacker impersonates a CEO, executive, or other authority figure via spoofed or compromised email and manipulates an employee into purchasing retail gift cards and sending back the card numbers and PINs, which the attacker then redeems or resells.
How does a gift card scam work?
The attack begins with impersonation: an attacker spoofs or compromises the email account of a CEO, executive, or manager. Display-name spoofing (where the visible name reads "CEO Name" but the actual email address is attacker-controlled) and lookalike domains are common techniques. A short, informal email or text message is sent to a target employee—often an executive assistant, office manager, administrative coordinator, or finance staff member—with an urgent, confidential request such as "Can you help me with something? I'm in a meeting" or "I need a quick favor."
Once the victim responds, establishing a back-and-forth conversation, the attacker deepens the social engineering by requesting that the employee purchase retail gift cards from a nearby store or online (typically $200-$500 per card, multiple cards totaling $1,000-$10,000 or more). The request is framed as employee recognition rewards, client gifts, a surprise for departing team members, or bonus distribution. The attacker creates plausible business narratives that justify the unusual request while maintaining urgency: "I need this done today," "Keep this between us," or "I'm traveling and can't handle this myself."
The employee is instructed to scratch off the PINs and send photos of the card backs, type the redemption codes directly into the email or text thread, or provide the codes verbally. Attackers immediately redeem, transfer, or resell the gift card balances—often within minutes of receiving the codes—making recovery nearly impossible. Gift card companies typically cannot reverse transactions once the cards have been redeemed or transferred. Gift cards are preferred as a theft vector because victims are less wary of gift card requests than wire transfer requests, which trigger higher scrutiny; cards provide a quick, easy way to launder stolen money through untraceable retail instruments; and employees perceive gift card purchases as lower-risk than moving corporate funds (Proofpoint, 2019).
How does a gift card scam differ from wire transfer BEC?
Dimension | Gift Card Scam (BEC) | Wire Transfer BEC | W-2 Phishing | Invoice Fraud |
|---|---|---|---|---|
Primary Target | Executive assistants, office managers | Finance/Accounts payable staff | HR/Payroll staff | Accounts payable staff |
Impersonated Party | CEO/executive (internal) | CEO/CFO or vendor (external) | CEO/executive (internal) | Vendor/supplier (external) |
Typical Amount per Incident | $1,000-$10,000 | $10,000-$1,000,000+ | N/A (data theft) | $10,000-$500,000+ |
Monetization Method | Redeem/resell gift card balances | Wire transfer to mule account | Fraudulent tax returns, identity theft | Wire transfer to attacker account |
Recoverability | Very low (redeemed within minutes) | Low-moderate (banks can sometimes freeze) | N/A | Low-moderate |
Technical Sophistication | Very low (text/email only) | Low-moderate | Low | Moderate (may involve document forgery) |
Detection Difficulty | Low-moderate (unusual request pattern) | Moderate-high | Moderate | High (mimics legitimate invoices) |
Ideal for | Quick thefts with plausible deniability; testing employee awareness | Large single frauds with corporate access | Harvesting employee data at scale | Sophisticated fraud targeting AP departments |
Neither is universally better. Gift card scams are faster to execute; wire fraud targets larger single amounts.
Why has gift card scam gained traction?
Gift card scams have become a preferred vector because they exploit psychological vulnerabilities that victims are less suspicious of gift card requests compared to wire transfer requests. Consumers reported losing more than $217 million to gift card scams in 2023 alone (FTC, 2024). The median individual loss has increased from $700 in 2018 to $1,000 in 2021, with losses of $5,000 or more rising from about 8% of reports in 2018 to about 14% by late 2021 (FTC, 2021). Apple/iTunes gift cards are the most-reported brand used in scams, followed by Target, eBay, Walmart, and Amazon. Target gift cards alone accounted for approximately $35 million in payments to scammers, with a median loss of $2,500—higher than any other brand (FTC, 2024). About one in four people who report losing money to fraud say it happened via gift cards (FTC, 2024).
Broader BEC losses (which include gift card scams as a subset) totaled $2.77 billion across 21,442 incidents in 2024, representing over 17% of the $16.6 billion in total cybercrime losses reported to the FBI (FBI IC3, 2025). Proofpoint blocks over 15,000 BEC and imposter messages per business day, or nearly 4 million per year (Proofpoint, ongoing). Gift card scams require minimal technical sophistication compared to other attack types, making them accessible to less-skilled threat actors.
What are the limitations of a gift card scam?
Low dollar amounts per incident reduce suspicion but also limit yield: individual gift card scam amounts ($1,000-$10,000) are far lower than wire transfer BEC ($100K+), requiring attackers to run many campaigns for comparable returns. Retail employee intervention provides a significant defense: AARP found that one in four consumers in the process of buying gift cards for a scam had a retail employee warn them, and more than half the time a third party intervenes, the victim avoids losing money (AARP, 2022).
Regulatory attention is increasing: Maryland passed the Gift Card Scams Prevention Act of 2024; New York, Rhode Island (2023), and Delaware (2024) have enacted legislation requiring warning signs at gift card displays (Law360/Alston & Bird, 2025). Gift card scams have limited scalability—unlike wire transfer BEC or W-2 phishing, which can steal millions at once, gift card scams require individual purchases and manual code extraction, limiting throughput. The request pattern (executive asking subordinate to buy gift cards urgently and secretly) is distinctive and well-documented; even basic awareness training significantly reduces success rates. Major retailers are implementing purchase limits, employee training programs, and point-of-sale warnings to combat these attacks.
How can organizations defend against gift card scams?
Train employees to recognize gift card request patterns—particularly urgent, secretive requests from "executives" asking for gift card purchases. Role-specific training for executive assistants and office managers is critical. Establish a policy that any request for gift card purchases must be verified through a secondary channel (phone call, in-person, or pre-approved internal system) before proceeding. Deploy email authentication at enforcement level (DMARC p=reject) to prevent domain spoofing.
Deploy advanced email security solutions that detect impersonation attempts, display-name spoofing, and lookalike domains. Implement a financial control policy that company funds cannot be used to purchase gift cards without pre-approval from finance through a formal process, requiring dual authorization for unusual purchases. Encourage retailers to implement employee training (such as AARP's BankSafe program, available free to all US retailers), purchase limits on gift cards, and point-of-sale warnings. If gift card fraud occurs, report it to the FBI's IC3 at ic3.gov, notify the gift card issuer (many will freeze remaining balances if reported quickly), and report to the FTC at ReportFraud.ftc.gov.
Still have Questions?
Can’t find the answer you’re looking for? Please chat to our friendly team.
What is a gift card scam in the context of business email compromise?
A gift card scam is a BEC attack where an attacker impersonates a company executive and tricks an employee into purchasing retail gift cards and sending the card numbers and PINs. The attacker redeems or resells the gift card balances immediately, making recovery nearly impossible (Proofpoint, 2019; FBI, "Business Email Compromise," ongoing).
How much money is lost to gift card scams annually?
Consumers reported losing more than $217 million to gift card scams in 2023, with a median individual loss of approximately $1,000. As a subset of BEC, which caused $2.77 billion in losses in 2024, gift card scams represent a significant portion of social engineering fraud (FTC, 2024; FBI IC3, 2025).
Which gift card brands are most commonly used in scams?
Apple/iTunes gift cards are the most commonly reported brand used in scams, followed by Target, eBay, Walmart, and Amazon. Target gift cards accounted for approximately $35 million in scam payments, with a median loss of $2,500 per incident—the highest of any brand (FTC, 2024).
Why do scammers prefer gift cards over wire transfers?
Gift cards are preferred because they are quick to purchase, difficult to trace, function like cash once the PIN is shared, and victims are less suspicious of gift card requests compared to wire transfer requests. Gift cards can be redeemed within minutes, making recovery virtually impossible (Proofpoint, 2019).
How can businesses prevent gift card BEC scams?
Key defenses include security awareness training (especially for executive assistants and office managers), establishing verification policies requiring out-of-band confirmation for any gift card purchase requests, deploying email authentication (DMARC/DKIM/SPF), and implementing financial controls requiring pre-approval for unusual purchases (FBI, "Business Email Compromise," ongoing; CISA best practices).
What Is Business Email Compromise?, What Is Email Spoofing?, What Is CEO Fraud?, What Is Social Engineering?, What Is Security Awareness Training?, What Is DMARC?, What Is Phishing?, What Is SPF?, What Is Impersonation?, What Is Email Authentication?, What Is Invoice Fraud?, What Is Domain Spoofing?, What Is DKIM?, What Is Email Security?