When the CEO Emails You for Gift Cards

You open your work email on a Tuesday morning, and there it is: a message from your company’s CEO. The subject line reads, “Quick Favor – Urgent.” You click. The email is short, direct, and oddly informal. The CEO says he’s in a meeting and can’t talk, but he needs you to run out and buy several hundred dollars’ worth of gift cards from a specific store. He promises to reimburse you as soon as he’s free. The request feels off, but you don’t want to seem unhelpful. After all, it’s the boss. So you stop everything, drive to the store, buy the cards, and scratch off the codes to send him the PINs by email. Within an hour, your money is gone, and the real CEO has no idea what you’re talking about.

This scenario is not a rare office prank or a test of loyalty. It is a well-established online scam known as the “CEO fraud” or “gift card phishing” attack. And it lands squarely in Unreputable’s Phishing Hall of Shame, right alongside the fake bank alerts and the “your package is delayed” texts. For middle-class Americans aged 45 to 64—who often hold jobs with enough responsibility to get these emails and enough trust in authority to follow through—this scam is a frequent and costly hazard.

The mechanics are simple and cruel. Scammers research your company online. They find the CEO’s name, title, and maybe even a photo. They then create a free email account that looks like the CEO’s real address, or they spoof the company domain to make the message appear legitimate. The email is crafted to create urgency and secrecy. The scammer knows that gift cards—typically from major retailers like Amazon, Target, or Best Buy—are nearly impossible to trace once the codes are used. They also know that most companies have no internal policy that says, “Don’t buy gift cards for your boss via email.” That gap is their opening.

Why do people fall for this? It’s not a lack of intelligence. The scam exploits basic human nature: the desire to please a superior, to act fast under pressure, and to avoid questioning authority. If the email reads, “I’m in a client meeting and need these for a gift,” your brain may override suspicion with compliance. Seniors and middle-aged workers are especially vulnerable because they often grew up in a professional culture where bosses gave direct orders and questioning them was seen as insubordination. Scammers know this. They prey on the very traits that make you a reliable employee: your responsiveness and your trust.

Once you send the gift card codes, the money is gone. The scammer redeems them immediately, often through automated reselling networks. You cannot call the gift card company and reverse the transaction. The bank will not reimburse you because you authorized the purchase. Your employer may sympathize, but they are under no legal obligation to cover your loss. The average victim loses between $500 and $1,500 per incident, and these scams have cost American consumers and businesses hundreds of millions of dollars over the past few years.

So how do you spot this trap before it costs you? Start with the email itself. Legitimate executives do not ask employees to buy gift cards with personal money. They have assistants, corporate credit cards, and procurement departments. An email that demands secrecy—“don’t tell anyone about this”—is a massive red flag. Real bosses do not need to hide a routine purchase from the finance team. Also, look at the email address. Hover your mouse over the sender’s name without clicking. If the actual address is a string of random letters at Gmail or a misspelled version of your company’s domain, do not engage. If the language feels slightly off—too casual, too demanding, or missing the CEO’s usual signature style—trust that feeling.

What should you do if you receive such an email? Do not reply. Do not forward it to coworkers out of curiosity, as that can spread the scam. Instead, report it to your company’s IT or security team immediately. Forward it to them as an attachment so they can analyze the headers. If you have already bought the cards and sent the codes, contact the gift card issuer’s customer service line right away. Some companies have a small window to freeze the card if you act within minutes. Then file a report with the Federal Trade Commission at ReportFraud.ftc.gov. You can also contact your local police, though recovery is unlikely.

The Phishing Hall of Shame is built on lessons learned the hard way. The CEO gift card scam belongs there because it exploits a fundamental weakness in workplace trust. Protect yourself by remembering one rule: no legitimate boss will ever ask you to buy gift cards and email the codes. The only person who does that is the scammer sitting in a basement or a foreign call center, counting on your obedience to pay their bills. Next time your inbox pings with an urgent favor from the top, pause, question, and click delete. Your wallet will thank you.