Gift Card Scams: The "Are You Available?" CEO Fraud

It is a scene that plays out in workplaces every single day. A new hire's phone buzzes during their second week. The message is from the CEO: "Hi, are you available? I'm in a meeting and need a quick favor - can't talk right now." Eager to make a good impression, the employee replies yes. The follow-up arrives fast: buy several gift cards for a client surprise, scratch off the backs, and text over the codes. It feels urgent, the boss is counting on them, and they don't want to look unhelpful. So they do it - and the money is gone before anyone realizes the CEO never sent a word.
This is the gift card scam, one of the most persistent forms of business email compromise (BEC). It's low-tech, requires no malware, and works on a simple human lever: the urge to help an authority figure quickly. The FBI and the Federal Trade Commission have warned about it for years.
How the Gift Card Scam Plays Out
The pattern is remarkably consistent, which is exactly why it's so teachable. Once an employee has seen it laid out, they tend to recognize it instantly the next time - even when the wording or the channel changes. It almost always unfolds in four predictable steps:
- The bait. A short, vague opener - "Are you available?" or "I need a quick favor" - from someone impersonating a CEO, manager, or HR director, often via text or a free email account rather than the boss's real address.
- The setup. The "executive" claims to be busy, in a meeting, or traveling, and insists on handling everything over text so the employee can't easily verify.
- The ask. Buy gift cards - for client gifts, employee rewards, or a surprise - and do it urgently.
- The drain. Send back the card numbers and PINs. The fraudster cashes them out almost instantly, and gift cards are nearly impossible to trace or recover.
The FTC put it bluntly in a January 2026 consumer alert: scammers pose as your boss asking you to buy gift cards, and it is always a scam. Sometimes they'll even ask for "Google certificates" or other odd wording, hoping you'll engage to figure out what they mean.
Anyone who tells you to pay with a gift card is a scammer. There is no legitimate business reason for a manager to ask an employee to secretly buy gift cards and text over the codes.
Why It Targets New and Junior Staff
Attackers deliberately aim at employees who are least equipped to push back. New hires don't yet know how their executives actually communicate or what's normal. Junior staff feel the steepest power gradient and are the most reluctant to question - or to slow down a request from the top. The scammer engineers the whole interaction to discourage verification: it's urgent, the boss is unreachable, and asking feels like it could be career-limiting.
Because it's cheap to run at scale and occasionally pays off, the gift card scam remains a perennial fixture of BEC, which the FBI ranks among the most financially damaging cybercrimes year after year.
Why Gift Cards Are the Perfect Payout
It's worth understanding why fraudsters favor gift cards specifically over a bank transfer. Gift cards behave like cash but with none of the friction. Once a victim reads out the numbers and PINs, the value can be drained or resold almost instantly - often laundered through online marketplaces - and there's no bank account to freeze, no transfer to recall, and little chance of recovery. The victim, meanwhile, can buy them at any supermarket or pharmacy without raising the alarms a large wire would trigger.
That's also why the social-engineering script leans so hard on small, plausible amounts and everyday reasons. "A few cards for a client thank-you" or "team rewards for the offsite" sounds mundane enough that an eager employee doesn't pause. The fraudster is happy to net a few hundred dollars per hit because the campaign is automated and sprayed across many employees at many companies at once. Low cost, low risk, instant payout - it's a formula that keeps the scam alive year after year despite being one of the most-warned-about frauds in existence.
Sophisticated variants raise the stakes. Some attackers research the org chart on LinkedIn first, so they name the right executive and address the right assistant. Others spoof the executive's real display name so a glance at the inbox shows a familiar identity. The wording may shift too - "gift cards" become "e-vouchers," "Google certificates," or "prepaid cards" - but the underlying ask is always the same.
How to Recognize and Stop It
The defense is mostly behavioral, and it comes down to one unbreakable rule plus a verification habit.
- The rule: No legitimate manager will ever ask you to buy surprise gift cards and send the codes. Treat any such request as fraud, full stop - no matter how senior the "sender" appears.
- Verify through a known channel. If a request seems to come from a boss, confirm it by calling or messaging them on a number or platform you already trust - never by replying to the text or email that made the request.
- Watch the channel and address. A CEO suddenly texting from an unknown number, or emailing from a personal Gmail-style address, is a giant red flag.
- Distrust manufactured urgency. "Do it now, I can't talk" exists to stop you from verifying. Slowing down is the whole defense.
- Make reporting easy and blameless. Employees should feel safe flagging "is this really from you?" without fear of looking foolish.
This is where practice beats policy. You can put "never buy gift cards for an executive" in the handbook, but an anxious new hire under pressure from someone claiming to be the CEO needs to have felt that moment before to recognize it. empowsec's phishing simulation can replicate the exact "Are you available?" gift card lure - including text-style and impersonation scenarios - so employees experience the pressure in a safe setting and learn to verify before they act. The teachable-moment debrief delivers the lesson at the instant it lands hardest, explaining the tell-tale signs while the experience is fresh, and onboarding-focused security awareness training arms new hires with the rule before a real fraudster ever reaches them. A one-click report-phishing button then gives every employee a fast, blameless way to escalate a suspicious request instead of quietly complying or quietly ignoring it.
Key Takeaways
- The gift card scam impersonates a CEO or manager with an urgent "are you available?" request to buy cards and send the codes - a high-volume, low-tech BEC.
- It deliberately targets new and junior employees who don't yet know normal executive behavior and feel pressure not to question authority.
- The unbreakable rule: no legitimate manager asks staff to buy surprise gift cards - as the FTC says, anyone who tells you to pay with a gift card is a scammer.
- Defend with verification through a known channel, suspicion of urgency and odd sender addresses, and a blameless reporting culture.
See the FTC's January 2026 alert, "No, that's not your boss asking you to buy gift cards", and the FBI's guidance on Business Email Compromise.


