Gift Card Scam

Would your cardholders be able to spot and prevent a scam? A national company became a victim of business email compromise (BEC) fraud involving gift cards, even though the employee who fell for it was trained on information security. This highlights a critical component that should follow training: auditing. Besides covering key topics within training presentations, testing employees’ knowledge through process audits can reveal how well the training has sunk in. Keep reading to learn what happened and see if your organization is already following the presented action items.

Related Resources

Don't forget to subscribe to the blog (no charge) to receive educational content!


What Happened

Proving that no organization is immune to external fraud, the company in question is in the financial services industry, which, of course, is very focused on information security. One of the manager-level employees received an email that looked like it was from a senior management member. It directed the employee to buy $2,000 worth of gift cards to be used for employee recognition purposes. The big red flag was that it instructed the employee to take immediate action following the purchase rather than go back to the office first. It stressed that the employee should uncover the cards’ security codes and then reply to the email by sending photos of the fronts and backs of the cards. The employee complied. It was discovered by the Info-Security team when they were researching the same type of fraud reported by a different employee, who recognized the scam and did not fall for it.

Action Items

  • Ensure all employees—not just cardholders—are trained annually on information security. They should scrutinize any email requests that are seemingly out of the blue—something they were not expecting—and/or are different than “normal” business operations. When in doubt, they should independently verify a request and report any fraudulent attempts to the Info-Security team.

  • Keep your training current by refreshing as needed to include new fraud types and variations of common scams.

  • Routinely share examples of fraud (from the news and websites like this) to keep security at the forefront of people’s minds.

  • Within your process audits, try to simulate a scam to see if employees take the appropriate action.

  • Ask your IT group about automatically marking emails from external sources, which can help make employees more vigilant.

About BEC Fraud

As reported by the FBI, business email compromise (BEC) is a $12B scam. It is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. While it is most often associated with requests for wire payments, fraudulent requests may pertain to personal information (e.g., W-2 forms). As this blog post demonstrates, the scam has widened to include gift cards.