A phishing scam involving gift cards is becoming more prevalent and is having surprising success. The scam works like this. The recipient will receive an email that purports to be from a “higher-up” in the company, requesting him to urgently purchase some gift cards (normally Apple or Google Play). After the cards are purchased, the scammer asks the victim to send him the codes off of the back of the card. Then the scammer goes shopping.

Let’s take a look at the following real life example with only the names changed:

Notice how the boss asks for confidentiality more than once so as not to clue others into the scam. Also, you will notice how some of the grammar is questionable (though this example contains better grammar than most).  Also, notice how the scammer attempts to create a sense of urgency in order to make the recipient act without thinking.  Finally, the smoking gun is in the reply-to address of the sender which is not a legitimate company email address.  

Taking these clues into account, if the user still thinks the email could be genuine, the recipient should validate the legitimacy of the request through established (and separate) communication methods. In this case, the recipient should pick up the phone and call the requester. It may be intimidating to call the boss, but which is worse – giving away $3,200 of company money or taking 30 seconds of the boss’s time?

It’s the thought that counts so be sure to think it through.