What Happened
The scam is straightforward: a fraudster sends an email to an employee that appears to come from their boss or company executive. The email is urgent. The tone matches the boss's communication style. The request is specific: "I need you to go buy $500 in iTunes gift cards right now and send me the codes. This is for a client appreciation gift. Don't tell anyone." Some variations request Target cards, Google Play cards, or Amazon cards. The urgency is designed to bypass the part of the brain that asks questions.
The employee, who checks the sender's email address and sees it looks correct, believes they're receiving a legitimate urgent request from their superior. They drive to the store, buy the gift cards, and then, most critically, they take photos of the codes on the back of the cards and send them to the "boss." The fraudster now has the codes, redeems them immediately for cash or transferable currency, and the employee is left holding a physical card that's already been drained. By the time the employee mentions the purchase to their actual boss, the codes are already spent.
What makes this scam effective is the psychological mechanism it exploits: authority and urgency. An employee receives what appears to be a direct order from their superior. They're told it's urgent. They're told not to mention it. These three elements override the logical part of the brain that would otherwise say "this is weird; I should verify this." The scammer isn't trying to trick you into believing something false; they're trying to make you act so fast that you don't think at all.
Why This Matters
This scam works on smart people at legitimate companies. The victim isn't dumb or gullible; they're responding to what appears to be a legitimate authority figure making an urgent request. The email header looked right. The tone matched. The request was specific and had a plausible business explanation. The employee complied. That compliance cost money and created professional awkwardness when they had to explain to their actual boss what happened.
The FBI estimates this scam variation costs victims hundreds of millions annually. Employees at major corporations have lost thousands. The scammers are sophisticated enough to use spoofed email addresses, to research employee names and company hierarchies, and to craft messages that sound authentic. The only defense is a rule: no legitimate boss asks for gift card codes via email. None. Ever. If an executive needs to buy gifts, they have accounts, purchasing departments, or corporate cards. They don't ask employees to buy gift cards and send codes.
The Authority Override
This scam succeeds because it exploits the authority structure of employment. Employees are trained to follow instructions from superiors quickly. Questioning a boss's request can seem insubordinate. The scammer understands this and weaponizes it. By framing the request as coming from an authority figure and wrapping it in urgency and secrecy, they short-circuit the rational evaluation process. The employee's brain recognizes: authority + urgency + secrecy = comply immediately.
The defense requires overriding that pattern. If your boss asks you via email to buy gift cards, the correct response isn't to comply quickly. The correct response is to stop, call your boss directly (use a number you know is real), and verify the request. Every victim of this scam later says, "I should have just called to verify." Exactly. The tiny friction of verification completely breaks the scam. The fraudster is counting on the fact that you won't stop to verify because stopping to verify seems disrespectful to authority. That politeness is the cost of your money.
Sources
FBI: "Business Email Compromise and Gift Card Scams"
FTC: "Executive Impersonation Scams"
Internet Crime Complaint Center: "Gift Card Fraud Trends"