Employee Gift Card Scams: How to Address What’s Impossible to Eliminate

If your company has a website or at the very least a dedicated email address, chances are you or your employees have been targeted in a gift card scam. This attack has evolved into a widespread operation impacting every type of organization — from Fortune 500 companies to small nonprofits.

The structure of the scam is simple. A scammer poses as a trustworthy coworker and targets someone within your organization — usually a new hire — with an unexpected but not necessarily outlandish request. For example, a common scenario involves the scammer posing as your CEO stuck in a meeting and needing someone to purchase a handful of gift cards for a donor appreciation event. Eager to impress, your employee does as they’re told and purchases the requested gift cards. They’re then prompted to share these redemption codes with the scammer. 

However, once these redemption codes are shared, gift cards become nearly untraceable. Whatever money spent (whether the employee’s own or your organization’s petty cash) is gone. Unlike credit card transactions or bank transfers, there’s no financial institution providing governance to protect the funds. 

Attackers often target employees on their personal phone numbers, outside of your organization’s control, or via email with communications carefully crafted to bypass email filtering. But while you can’t prevent these attacks, you can equip your organization with a multi-layered defense to combat these scams and reduce the likelihood the scammer profiting off of your colleagues

Why are gift cards perfect for phishing scams?

According to the Federal Trade Commission, gift card-related fraud accounted for $217 million of $10 billion lost to scams in 2023. The FTC does provide resources for reporting these scams, and companies like Apple and Google offer support lines for gift card scam victims; however, recovery requires immediate action and often proves unsuccessful. The reality remains stark: once you’ve shared those codes, your money is likely gone for good.

One of the biggest challenges combating gift card scams is their ability to bypass traditional cybersecurity tools and target human psychology. And the threat is only growing. 

These factors make gift cards attractive to scammers, but many organizations use gift cards for volunteer appreciation, donor recognition, or program incentives. This legitimate usage makes many nonprofits especially vulnerable to these fraudulent requests.

How scammers target your organization

The rise of these scams coincides with the widespread availability of our personal and organization information online. Cyberattackers can gain an exceptional level of detail through data brokers, social media scraping, and countless data breaches. That means cybercriminals don’t need sophisticated hacking tools to launch these attacks. They rely on publicly available information that most people and organizations freely share.

The security community suspects the process typically involves scraping LinkedIn for members announcing they’ve started a new job, which most people publish with their privacy settings set to public visibility. These updates are then cross-referenced with data broker information or other sources to compile contact profiles. The result is a targeted list of employees that includes their phone numbers, email addresses, and workplace details, which are available on most websites. Attackers gather the names of leaders at the targets’ workplaces from LinkedIn, business data brokers, or organizational websites. 

The scale of this operation means attackers aren’t specifically targeting your organization because of your mission or public profile. They’re casting a wide net across all organizations. We’ve found that even small nonprofits with fewer than a 25-person staff have been regularly targeted by these scams because the cost of sending bulk text messages makes volume attacks profitable.

Why are new hires targeted for gift card scams?

New employees face a perfect storm of factors that make them vulnerable to gift card scams. They haven’t yet established relationships that would readily reveal suspicious communication patterns, and they want to demonstrate they’re reliable and responsive, especially to leadership. Just as importantly, new hires haven’t learned your organization’s internal protocols for purchases and expense approvals.

Scammers also rely on creating a sense of urgency that interferes with critical thinking that might otherwise kick in and help recipients recognize suspicious requests. When someone believes their boss is asking for immediate help, they focus on compliance rather than verification. If the staff member makes it to a store to purchase gift cards, even built-in prompts at checkout that warn about gift card scams become ineffective because the victim strongly believes they’re simply making a legitimate purchase for their employer.

The data reality you can’t control

No matter how many precautions you take, your personal information is likely already available through both legal and illegal channels. Data brokers compile and sell personal information that people consented to share through various services — though few realize the extent of this data trading when signing up for credit cards, utilities, or online accounts.

While you can minimize the data available to data brokers by opting out (either manually or via an opt-out subscription service), data breaches at companies and service providers continue to expose personal information without their consent. Tools like Have I Been Pwned can show you which breaches have exposed your information, but this represents just the known incidents. This widespread availability means your staff’s basic contact information has already been leaked. 

Building your defense with a ‘Swiss cheese’ model

Unfortunately, you can’t prevent data breaches or stop scammers from sending text messages to personal devices. Since there is no way to prevent these attacks entirely, your best defense relies on establishing multiple overlapping protections. 

Think of these elements as a Swiss cheese model of digital security: Each tactic represents a slice of cheese with holes in it, but layering enough slices over one another blocks all the gaps.

An effective gift card scam defense plan should include:

User education

Tell new employees about gift card scams before they encounter them. Show examples of suspicious messages and explain why these requests should always be verified. When people know what to expect, they’re more likely to recognize attacks when they occur.

Verification protocols

Establish clear policies requiring verification of any purchase requests through a different communication channel. If someone receives a text asking for gift cards, they should understand to email or use an internal messaging platform like Slack or Teams to contact the right person to confirm before making any purchases.

Email filtering services

Google and Microsoft have improved their spam detection, but attackers constantly shift tactics in their requests. Those messages often will go through until the platform is updated to recognize the new format. Additional filtering services like Cloudflare Email Security can offer extra protection, but text messages remain harder to filter.

Data hygiene

The U.S. does not offer privacy laws like the EU’s GDPR, which means it’s technically legal for data brokers to share your information. However, they do respect opt-out requests, and it’s possible for your employees to go through a long list of sites and ask to be removed. Alternatively, you can use a subscription service to automate these opt-out requests; reach out to Personified for help setting up an enterprise privacy subscription service!.

While you can’t control all data exposure, you can also encourage employees to limit their risks by adjusting privacy settings. For example, adjusting your preferences so only LinkedIn connections can view your profile will prevent job changes from being publicly visible.

Clear organizational policies

Document when and how your organization uses gift cards. If you never do, state that clearly during onboarding. If you do use them, you should clarify the approval process so employees know what a legitimate request looks like.

Also document your organization’s approved communication channels. If you do use text messages to communicate, ensure new staff have a directory of verified contact numbers. If you do not use text messages, educate new staff to be wary of texts claiming to be coworkers and refer them to the appropriate communication channels to use instead (email, Slack, Teams, etc.) 

The value of preparation over panic when fighting scams

Unfortunately, gift card scams represent part of the cost of doing business online. While we can’t eliminate the threat entirely, you can prepare your teams to recognize suspicious texts or email messages and respond appropriately.

Your goal isn’t to achieve perfect security — it’s to create enough obstacles that scammers move on to other targets while ensuring your team knows how to respond to attacks. From your board members to the newest hire, everyone in your organization should understand the threat and know the proper verification steps, which are your strongest defense against these attacks.

The question isn’t whether you’ll be targeted, but whether your team will be prepared to recognize and respond appropriately when it happens. If you’re ready to start making a plan that will suit your organization’s needs, let’s connect and talk about what’s next.