If you�ve received a message from your boss requesting a gift card, it�s probably a phishing attempt. �We�re seeing a rise in gift card scams,� says Conrad Bell, Chief Information Security Officer at C Spire. �Hackers send people emails or text messages in which they pretend to be a supervisor or a senior executive. They trick employees into buying gift cards and sending them the activation codes.� Once the codes are sent, the money is gone.
According to the Federal Trade Commission, nearly 40,000 people reported losing $148 million in gift card scams in 2021. And it�s only getting worse in 2022.
�Remember,� says Bell, �Your boss does not need gift cards.� And if anyone asks you to pay for something with a gift card, it�s a scam. Gift cards are for gifts, not payments.
How does the scam work?
STEP 1. The scammer scours the Internet for names and emails of a company's high-ranking supervisors. Corporate websites and LinkedIn are sources for a lot of this information. Job titles, telephone numbers and other important information about the company help disguise malicious requests.
STEP 2. The hacker then targets the supervisor's business account through a variety of tactics. They often spoof the supervisor�s email domain in a way that's difficult to notice. For example, boss@company.com is changed to boss@c0mpany.com. Sometimes they create a fake personal email address through Gmail, Yahoo or another service. They can also spoof a phone number from your area to send a text message.
STEP 3. The request is sent to an employee, asking them to buy gift cards for a random reason and send the gift card numbers and PIN code back via email or text.
What should you do?
- If you get a message from a colleague asking you about gift cards, reach out to the sender in a separate email or call them to check if they actually sent the request.
- Do not reply to the email or use any contact information provided in the email. Attackers will often provide fake numbers or email addresses that they control.
- If you discover the email is a phish, report it to your manager and reportfraud.ftc.gov