Business email compromise (BEC) scams that involve gift cards usually aren’t very sophisticated—but employees often still fall for them.

Wesentliche Punkte:

  • Gift card scams are a growing form of business email compromise attack that thieves use to scam businesses and individuals.
  • Many gift card email phishing attempts are relatively crude, which can make them easier to spot.
  • A combination of security awareness training, policies and email security services can reduce the risk of a successful phishing attack.

Thieves rely on an ever-growing array of social engineering methods to fleece unwitting recipients out of money. One fast-expanding tactic: business email compromise scams involving gift card purchases.

Typically, thieves trick employees into buying genuine gift cards and sending them the information needed to sell them or cash them in. They often do this by sending phishing emails in which they pose as an executive, requesting that the employee buy gift cards and send the serial numbers so the cards can be used immediately. They use a variety of phony reasons for the gift card purchases, including surprise gifts or the purchase of equipment, supplies, and even food from a restaurant for a meeting or party.[1] They often request cards from major brands such as Apple (iTunes), Google (Play), Amazon, Target and Best Buy.[2]

The trend takes advantage of the fact that most employees are already familiar with gift cards and can buy them online. Gift card sales in the U.S. topped $160 billion in 2018, and more than 93% of the public have used them, according to market-research firm Statista.[3] The average sum requested by thieves is around $1,600, according to the Anti-Phishing Working Group (APWG), but some gift card scams reach more than $10,000.[4]

Gift card scams are part of a broader rise in business email compromise phishing attacks, in which attackers typically attempt to impersonate executives or suppliers in order to deceive employees into sending them money. An FBI report noted that business email compromise attacks have been detected in 131 countries.[5] Overall, business compromise scams are estimated to have resulted in $26 billion in losses since 2016.[6]

Common Gift Card Email Fraud Techniques

Although many gift card email attacks are much less sophisticated than other types of business email compromise attempt, they may include official looking logos, requisitions or purchase orders that appear to be sent from a real department, executive or manager. They are often directed at specific employees who have the authority to make purchases or payments. If a phishing email lands in the right person’s inbox at the right time, it may not elicit suspicion. In many cases, thieves perpetrating email or phone fraud work in coordinated teams that generate leads, distribute scam emails, create aliases, and generate fake documents as needed.[7]

Thieves also continue to invent new ways to defraud companies with gift card related scams. For example, an emerging twist involves mailing recipients a malware-infected USB stick, together with letter that says the employee has received an award and that the USB device contains a digital gift card from a popular retailer.[8] Once the device is plugged in to the employee’s system, it installs a JavaScript backdoor with a keystroke logger.

How to Reduce the Risks

The good news is that gift card schemes are often relatively crude business email compromise attacks, which often makes them easier to spot and block. There are several ways you can protect yourself and your business from email spoofing and other dangers:

  • Offer employee awareness training. The most important line of defense against email spoofing and business email compromise is a well-educated workforce. Notably, 90% of all breaches and breakdowns are a result of human error.[9] Employee awareness training can teach individuals to spot suspicious emails, including fake links, misspellings and unusual language or requests. It’s also important to have a way for employees to report suspicious messages or calls.
  • Establish controls that minimize risk. Crooks constantly find creative ways to exploit gaps in processes and controls. Gift card schemes that rely on phishing emails or phone calls are no exception. One way to reduce the risk of fraud is to limit who can initiate purchases, create specific rules for them and provide employees with a list of executives who can request them. If a transaction exceeds a certain limit or falls outside normal purchase channels, then mandate a secondary approval and require a phone call or in-person approval.
  • Deploy software that aids in protection. Advanced email security solutions can detect many phishing attacks. It important to extend protections to mobile devices, since research shows smartphone users are more susceptible to phishing than those using desktop and laptop computers.[10] Use multifactor authentication (MFA) whenever possible.

Was lässt sich daraus schließen?

With gift card scams and other forms of business email compromise on the rise, it’s more important than ever to remain vigilant and implement controls to combat email fraud. A combination of employee awareness, policies and email security services can reduce the risk of a successful phishing attack.


[1]BEC gift card scams switch to online stores due to pandemic,” BleepingComputer.

[2]How Gift Card Scams Are Used to Finance Fraud,” AARP.

[3]Projected gift card sales in the United States from 2006 to 2018,” Statista.

[4]Phishing Activity Trends Report, 4th Quarter 2019,”

[5]Business E-Mail Compromise E-Mail Account Compromise The 5 Billion Dollar Scam,” Federal Bureau of Investigation.

[6]Gift Cards: Everyone’s Favorite Gift, Especially Criminals,” CPO magazine.

[7]Email Scammers Ditch Wire Transfers for iTunes Gift Cards,” Wired.

[8]Hackers sending malware infected USBs with Best Buy Gift Cards,”

[9] 2017 Cost of Data Breach Study,” Ponemon Institute.

[10] Ibid.

Sie wollen noch mehr Artikel wie diesen? Abonnieren Sie unseren Blog.

Erhalten Sie alle aktuellen Nachrichten, Tipps und Artikel direkt in Ihren Posteingang

Das könnte Ihnen auch gefallen:

Jüngste Verhaftungen wegen geschäftlicher E-Mail-Kompromisse unterstreichen die Bedeutung von Ema...

Operation reWired Leads to 281 Arrests I…

Operation reWired führt zu 281 Verhaftungen in BEC Sting A four-... Read More >

Renatta Siewert

von Renatta Siewert

Senior Security Writer

Veröffentlicht am 24. September 2019

Business E-Mail Compromise kostet US-Unternehmen 1,7 Mrd. USD

The FBI says business email compromise&n…

The FBI says business email compromise is now the … Read More >

Mike Faden

by Mike Faden

Mitwirkender Verfasser

Posted Mar 20, 2020

Anstieg von Tax Identify Theft während der Hauptsaison für Steuererklärungen

With the 2020 tax season underway, cybe…

With the 2020 tax season underway, cybersecurity analysts a… Read More >

Sarah Rollman

by Sarah Rollman

Posted Jan 16, 2020