The new Employee had been at the company for three days.
She was still learning people's names, still figuring out where the printer was, still trying to read the room on how formal the culture actually was. Then a text arrived on her phone. It was from her CEO — or appeared to be. He had a task. He was in back-to-back meetings all day and couldn't take calls. He needed gift cards — Apple Store, a few hundred dollars' worth — for a client appreciation event. He'd reimburse her later. Could she help?
She wanted to help. Three days in, that's what you do. She was already typing a reply when something made her pause. She walked over to a colleague instead. The colleague had been at the company long enough to recognize the pattern immediately. The CEO hadn't sent that text. The new employee hadn't been three days into the job — she'd been three days away from becoming a statistic.
This story, documented by STACK Cybersecurity in June 2026, is not unusual. It's Tuesday. It happens in the morning, during the school run, after a long weekend, in the middle of a busy quarter-end. It happens to people who have been at the company three days and to people who have been at the company three years. The pretext shifts. The target shifts. The sense of urgency stays exactly the same. And the ask — gift cards, scratched codes, photos sent via text — stays the same too, because the ask works.
Gift card fraud is the most prevalent BEC cash-out method on earth. It accounted for 52.8% of all BEC attacks in December 2025, per Fortra's monthly intelligence report — and 46.5% in February 2026 even after a seasonal dip. It has led all other cash-out methods continuously since 2018. Wire transfers get the headlines because the amounts are larger. Gift card fraud gets the volume because the barrier to pulling it off is lower than almost anything else in the BEC playbook.
This piece is the most complete analysis of gift card fraud BEC available in 2026. We're going to cover why attackers choose gift cards over wire transfers, exactly how a campaign runs from first contact to laundered cash, who gets targeted and why, what detection looks like for an attack that generates no technical signal, and what organizations can do right now — not after the next incident — to close the gap.
The obvious question is the right one. Why would a sophisticated criminal operation bother with Apple gift cards when wire transfers move orders of magnitude more money? The answer reveals something important about how BEC campaigns actually scale.
Wire transfer fraud is lucrative but operationally complex. It requires a receiving account — usually a mule account that can be frozen by the receiving bank, flagged by fraud detection, or reversed within a narrow window if the victim moves quickly. The money exists in a financial system that has controls, and those controls occasionally work.
Gift card codes are different. They are, in practice, digital cash. The 16-digit code on the back of an Apple Store card has no name attached to it, no bank account that can be frozen, and no reversal mechanism once the code has been redeemed. The victim sends a photograph of the scratched-off code. That code is live the moment it's received. The attacker can begin laundering it within minutes, while the victim is still at the pharmacy counter buying the next card.
The FTC documented this reality directly in its January 28, 2026 consumer alert — titled, with commendable plainness, 'No, that's not your boss asking you to buy gift cards.' The alert noted that gift cards have topped the list of preferred payment methods by scammers continuously since 2018. The irreversibility is the feature, not a bug.
Wire transfer BEC targets finance staff and executives — a small population with access to wire initiation systems and approval authority. The average wire fraud request runs around $45,000 to $60,000, and the pool of viable targets is narrow. A single successful wire is significant. A failed attempt at a well-protected target is a dead end.
Gift card BEC targets anyone with a credit card and a willingness to help. The pool of viable targets is the entire employee roster. A request for $500 in Apple cards doesn't require approval authority or access to a financial system. It requires a phone, a drugstore, and a sense that the boss needs help with something. The per-attack revenue is lower — requests typically run between $200 and $2,000 — but the addressable target population is 20 times larger, the success rate against untrained employees is high, and the operational cost per attempt is close to zero.
Wire fraud needs the CFO. Gift card fraud needs anyone. That's why the volume never stops.
Almost every gift card BEC request includes a reason why the purchase must be kept secret. It's a surprise for the team. It's a client gift and the client shouldn't hear about it in advance. It's an end-of-year bonus and HR hasn't announced it yet. The attacker instructs the victim not to tell anyone.
That secrecy pretext does two things simultaneously. It provides a plausible narrative for why the CEO is making a personal purchase through an employee instead of through the normal procurement process. And it prevents the victim from doing the one thing that would immediately expose the fraud — mentioning it to a colleague who has been at the company long enough to know this isn't how the CEO operates.
She almost didn't pause. She's the exception, not the rule. The FTC's data shows gift card fraud losses running into hundreds of millions of dollars annually. Those numbers represent the people who didn't pause.
Most security content describes gift card BEC in abstract terms — the attacker impersonates the CEO, requests gift cards, launders the proceeds. What that description misses is the specific, calibrated human exchange that makes the attack work. The exchange below is a reconstructed composite, drawn from documented cases and active engagement research by Fortra's FIRE team and Cofense's threat researchers — not a verbatim transcript of any single incident.
ATTACKER Hi, are you available? I need a quick favor.
EMPLOYEE Sure, what do you need?
ATTACKER I'm in back-to-back meetings and can't step out. I need to get some gift cards for a client appreciation event we're running this afternoon. Can you pick some up on the company card and I'll get the receipt sorted after?
EMPLOYEE Of course, how many?
ATTACKER Four Apple Store cards, $200 each. Keep it between us for now — it's a bit of a surprise and I don't want it getting around before the event.
EMPLOYEE Sure, heading out now.
ATTACKER Great. Once you have them, scratch the back and send me a photo of the codes. I'll add them to the account remotely.
By the time the employee scratches the back of the first card, the attacker is ready. The codes will be posted on peer-to-peer cryptocurrency marketplaces before the employee has finished photographing the second card. The entire cash-out chain runs in parallel with the purchase. The attacker is not waiting for all four cards. They're laundering card one while the victim is still standing at the register.
Cofense documented this timing precisely in their active engagement research: they observed gift cards being posted on peer-to-peer exchanges for trade within minutes of the victim sending the first code, with the laundering process occurring in parallel across multiple card codes simultaneously. The 'safety window' that exists for wire transfers — banks have up to 72 hours to reverse a fraudulent ACH transaction under certain circumstances — does not exist here. There is no mechanism to un-redeem a gift card code.
Understanding the full cash-out chain matters because it illuminates why recovery is so rare and why the attack persists at high volume despite widespread awareness. The chain is fast, anonymous, and built on infrastructure that is not itself criminal.
The victim sends photographs of scratched gift card codes via text or email. The attacker receives 16-digit codes that can be redeemed on the issuer's platform or sold on secondary markets. The codes carry no name, no transaction history, and no link to the victim's identity.
The codes are immediately listed on peer-to-peer cryptocurrency marketplaces — platforms that allow users to buy Bitcoin using gift cards as payment. Apple iTunes and Google Play cards are among the most actively traded. The attacker lists the codes at a discount — typically 70-80 cents on the dollar — and converts them to Bitcoin within minutes. The speed of this conversion is what makes the 'phone the bank' response strategy functionally useless for gift card fraud. By the time the victim realizes what happened and calls anyone, the codes have been converted and the gift card itself is worthless.
The Bitcoin moves from the attacker's wallet to a second peer-to-peer exchange. On Remitano, the attacker advertises Bitcoin for sale and a buyer purchases it via bank transfer. The funds arrive in a bank account. Fortra's intelligence team traced this specific chain through their research into Scarlet Widow — a West African BEC group that used this exact three-step process to launder 140 iTunes cards obtained from successful BEC attacks across a six-month period. The core mechanics of gift card-to-crypto laundering remain consistent.
In August 2018, Scarlet Widow targeted an administrator at an Australian university, impersonating the head of the Finance Department. The administrator purchased $1,800 in Apple iTunes gift cards and sent photographs of the codes. Fortra's researchers documented that the laundering process began while the victim was still sending the photos — the first codes were already live on a peer-to-peer exchange before the last card was purchased. Total time from gift card purchase to converted cash: under an hour.
46.5% of all BEC cash-out methods in February 2026 — gift cards have led every other method continuously since 2018 — Fortra FIRE
The targeting logic for gift card BEC is precise, and it's worth understanding because it tells organizations exactly where their exposure concentrates.
A new employee is, from the attacker's perspective, nearly ideal. They don't know what the CEO's communication style actually looks like. They don't know whether the company ever runs client appreciation events this way. They don't know whether gift card requests from leadership are normal or absurd. They haven't built the informal institutional knowledge that makes experienced employees pause.
What they do have is a strong desire to be helpful, a reluctance to challenge authority in their first weeks, and an instinct not to bother busy colleagues with what might be a routine request. Attackers research LinkedIn posting history and company websites for new hire announcements. A public post announcing a new role is a targeting signal. Cases like the STACK Cybersecurity incident are explicitly triggered by an employee's newness — the attacker identifies the target through exactly that kind of public announcement.
The FBI notes that gift card request BEC now frequently arrives via text to personal phones rather than through corporate email — specifically because new employees haven't yet developed the pattern recognition that makes them skip the personal-device verification step that corporate security training might establish.
Executive assistants are accustomed to running errands on behalf of leadership. Purchasing supplies, coordinating gifts, handling logistics that the executive doesn't have time for — these are normal job functions. An attacker impersonating a CEO and asking an assistant to pick up gift cards is asking them to do something structurally identical to what they do legitimately. The content of the request fits the role. The channel — a text or informal email — fits the way executives actually communicate with their support staff.
Unlike wire transfer BEC, which requires a target who can initiate or approve a financial transaction, gift card BEC works on virtually any employee. Fortra's research found that the scope of viable targets in gift card campaigns is not limited to finance or HR. The attacker can target a junior account manager, a marketing coordinator, or a customer service rep. The only requirement is a credit card and a willingness to help the boss.
This is why gift card fraud volume remains so high even as organizational security awareness improves. The AI-powered phishing detection guide makes a point that applies directly here: training calibrated for the average employee doesn't protect the new hire who hasn't had it yet, the admin who doesn't recognize the pattern, or the employee who receives the request on their personal phone outside the corporate security perimeter entirely.
The data from Fortra's FIRE team — built from direct active engagement with BEC threat actors, not self-reported survey data — gives the most granular picture of how gift card fraud has evolved through 2025 and into 2026.
In December 2025, gift cards accounted for 52.8% of all BEC cash-out methods. Apple Store was the most requested card type, making up 50% of all gift card requests, followed by Amazon at 18.8% and DoorDash at 9.4%. By February 2026, Apple's share of gift card requests had risen to 41.2%, with Amazon at 29.4% and Airbnb at 11.8%. By April 2026, Apple had reached 54.9% of all gift card requests.
Apple's dominance is not accidental. Apple Store cards are universally recognized, easily redeemable against a platform most employees use personally, and highly liquid on secondary markets. They carry the highest value per unit relative to the victim's perceived effort. An attacker asking for Apple cards is optimizing for the highest conversion rate in the laundering chain, not just the easiest ask.
The requested amounts per attack typically run between $200 and $2,000 — low enough to avoid triggering procurement approval processes, high enough to make the campaign worthwhile at scale. Multiple attacks across multiple targets in a single campaign can aggregate to significant totals. The FBI IC3 reports billions in BEC losses annually, and while wire transfers dominate by amount, gift card fraud dominates by volume. The complete BEC guide contextualizes where gift card fraud fits within the broader ecosystem — but the short version is that gift card campaigns are the highest-volume, lowest-barrier-to-entry attacks running in enterprise email environments right now most incidents go unreported.
Gift card BEC is, in a precise technical sense, the hardest BEC variant to catch with infrastructure-based detection. The reasons are structural.
A gift card request email contains a greeting, a request, a pretext, and a secrecy instruction. There is no malicious link. There is no malicious attachment. There is no known threat template. The language is casual and conversational, because urgency without alarm is the intended register. Modern AI generation has made the text indistinguishable from how a real executive might actually write — in many cases, it's better written than genuine executive emails, because AI has no typos and nobody's real boss writes under time pressure.
The FBI explicitly noted in 2025 that gift card BEC is increasingly arriving via SMS to employees' personal phones — not through corporate email at all. A text to a personal number goes through no corporate security scanning. No gateway. No DLP. No anything. The corporate security stack doesn't process personal SMS. The attacker knows this. Routing the initial contact through a personal device channel specifically sidesteps the monitoring perimeter where any detection might exist.
Even when an employee receives a gift card request that feels slightly odd, the secrecy instruction prevents the natural verification behavior — asking a colleague — that would immediately expose the fraud. The victim doesn't flag it because they believe they're not supposed to discuss it. The attack exploits the social dynamics of workplace hierarchy and confidentiality in a way that has nothing to do with technical sophistication.
A $500 gift card purchase doesn't typically surface in the AP workflow the way a $50,000 wire does. It may go through on a corporate card with no secondary approval. It may be expensed afterward without raising flags. The per-transaction amount is specifically calibrated to stay below thresholds — both formal approval limits and informal attention thresholds for people reviewing expense reports.
The convergence of these factors — no technical payload, personal device delivery, social secrecy pretext, below-threshold amounts — creates an attack that defeats every layer of the detection stack simultaneously. The only detection model that has any chance of catching it evaluates the intent and context of the communication, not its technical attributes. Does this request fit how this executive actually communicates? Has the CEO ever asked this person to buy gift cards before? Is this consistent with the organizational communication patterns TRACE has modeled for this sender? Those are the questions that how TRACE powers real-time email threat prevention details — and they're the questions that separate detection that catches gift card BEC from detection that has no model for it at all.
Gift card BEC worked before AI-generated text. What AI does is remove the few remaining signals that allowed trained employees to identify suspicious messages.
The classic tells of phishing — awkward phrasing, grammatical errors, unusual formality or unusual informality, off-brand vocabulary — all reflected the reality that most gift card BEC attacks were composed by non-native English speakers under volume pressure. The Nigerian-origin campaigns that Fortra's data consistently tracks produced messages that were recognizably imperfect. Security awareness training built partly around spotting those imperfections.
That training is now less effective than it was. An LLM given a sample of the target executive's real emails can produce a gift card request that matches their vocabulary, their casual register, and even their characteristic punctuation patterns. The request sounds like the boss because it was trained on the boss. documents the 14x surge in AI-generated phishing between November and December 2025. Gift card fraud is not immune to that trend — it benefits from it directly, because the one detection signal that worked against it (imperfect language) has been removed from the attack.Our analysis of how AI transformed phishing in 2026
What AI also enables is volume at scale. An attacker who previously composed gift card requests manually could run perhaps a dozen campaigns per day. With AI-assisted composition and automated personalization from LinkedIn and company website data, the same attacker can run hundreds. The targeting gets more precise. The impersonation gets more convincing. The volume increases. And the per-attack economics — which were already favorable — become even more so.
Law firms, consulting firms, and other professional services organizations have cultures where executive requests for quick assistance are genuinely common and genuinely expected to be handled discreetly. The professional services context — where client confidentiality is a core value and discretion is explicitly trained — makes the secrecy pretext feel appropriate rather than suspicious. Gift card BEC attacks in professional services contexts often invoke client gifts, surprise recognitions, or vendor relationships that the target is told to handle quietly as a professional courtesy.
Universities and schools are disproportionately targeted by gift card BEC. The Australian university case Fortra documented is not an outlier. Educational institutions have large populations of administrative staff accustomed to supporting faculty and leadership, relatively flat approval hierarchies for small purchases, and a helping culture that makes requests to 'pick something up' feel routine. The Scarlet Widow group explicitly targeted university administrators as a primary category.
Healthcare organizations have large administrative populations, high staff turnover that creates a continuous stream of new employees unfamiliar with communication norms, and organizational cultures where requests from leadership are typically treated with urgency. The same structural features that make healthcare organizations vulnerable to payroll diversion BEC also make their administrative staff viable targets for gift card fraud.
Small and mid-size businesses are explicitly disproportionately targeted for gift card BEC, per the FBI's alert data. Fewer employees who know each other well enough to flag unusual requests, less formal procurement approval processes for small purchases, and limited security awareness investment. At a 20-person firm, a new employee receiving a text from the CEO's spoofed number has no institutional context to draw on and nobody to ask without feeling like they're overreacting.
Defending against gift card BEC requires accepting two uncomfortable truths simultaneously: technical controls alone cannot stop it, and human awareness alone cannot stop it either. The defense has to combine both, in specific ways that close the gaps each leaves open.
STACK Cybersecurity documented an emerging organizational control that directly counters the gift card BEC pattern: a corporate verification phrase. When any employee receives a request to make a financial purchase on behalf of an executive — whether by email, text, or phone — they respond with: 'Before I proceed, what's the corporate verification phrase?' If the requester can't provide the phrase, the request gets escalated. The phrase is shared only internally, never transmitted electronically, changed regularly, and known to a defined circle.
This is low-tech, costs nothing, and defeats gift card BEC completely. The attacker cannot provide a phrase they've never seen. It also defeats voice-based follow-ups, because a phone call from a spoofed number can't answer a question the real executive didn't share. The phrase approach is the gift-card-fraud equivalent of the out-of-band callback protocol we recommended for vendor email compromise — it removes the attack's ability to succeed through a single compromised channel.
Security awareness training programs that cover general phishing don't cover gift card BEC with the specificity needed to change behavior. New employee onboarding should include three specific pieces of information: the CEO will never ask you to buy gift cards via text; the secrecy instruction is the fraud's most important tell; and the right response to any unusual purchase request from leadership is to verify through a second channel before doing anything else.
This training needs to happen before the employee's first day of receiving work communications, not in month three as part of a quarterly cybersecurity module. The documented near-miss case happened on day three. Onboarding training that happens in week two arrives after the window when the risk is highest.
One of the most underused tools against gift card BEC is simply documenting how the company's executives actually communicate. If the CEO never texts employees directly, that norm should be written down, shared with the team, and referenced explicitly in onboarding. If executive requests for purchases always go through the EA, that should be documented as the only legitimate channel. Written communication norms give employees a concrete reference point when a request arrives that doesn't fit the documented pattern.
Gift card purchases on corporate cards don't typically trigger the same review as wire transfers, but they can be caught in the expense process if controls exist. Requiring a manager approval note for any gift card purchase above a defined threshold — even a low one like $50 — creates a post-purchase verification step that surfaces suspicious activity before it becomes a pattern. Combined with a flag in the expense system for any gift card line item pending explanation, this gives the finance function visibility into a purchase category that is otherwise largely invisible.
Not all gift card BEC arrives via personal SMS. A significant portion still comes through corporate email, and for those, the detection question is whether the request fits the established communication pattern of the purported sender. TRACE's behavioral modeling establishes per-sender baselines — how the CEO actually writes, who they typically communicate with, what types of requests have historically originated from their account — and evaluates incoming and outgoing messages against those baselines. A gift card request from the CEO's account, to an employee they've never emailed directly, asking for something that's never appeared in this sender's communication history, generates a specific anomaly signal that StrongestLayer's attack taxonomy identifies as consistent with the gift card BEC pattern. The detection doesn't depend on the message containing a malicious link. It depends on the message not making sense for this sender in this context — and that's a judgment that requires reasoning, not rule-matching.
Security content has a tendency to focus on the sophisticated threats — the AiTM session hijacks, the nation-state spear-phishing campaigns, the multi-stage account compromise operations. Those threats are real and they deserve attention. But the most prevalent BEC cash-out method in the world right now is someone texting an employee, pretending to be the boss, and asking for Apple gift cards.
That simplicity is the point. Gift card fraud doesn't need infrastructure. It doesn't need a proxy server, a PhaaS subscription, or a lookalike domain. It needs a spoofed phone number or a free webmail account — 69% of these attacks originate from free webmail providers, per Fortra's February 2026 data — and the knowledge that somewhere in every organization is a person who will want to help before they think to verify.
The Australian university administrator who sent $1,800 in iTunes codes to Scarlet Widow while the laundering chain was already running wasn't careless. She received a request that appeared to come from a legitimate internal authority and responded the way her job trained her to respond: promptly and helpfully. The attack worked because it was designed to work against exactly that instinct.
She paused. She happened to pause. She happened to be the exception in a threat category that counts on most people not pausing. The organizations that close this gap don't rely on their employees happening to pause. They build the pause into the process — through corporate verification phrases, explicit communication norm documentation, onboarding that covers this attack specifically, and detection that flags gift card requests from executive accounts that don't fit established behavioral patterns.
The StrongestLayer email attack taxonomy tracks gift card fraud at trajectory 3.9 and rising. The FTC issued a consumer alert about it in January 2026. The FBI reports it as a common BEC variant arriving on personal phones. Fortra's direct engagement research shows it as the most prevalent cash-out method across 2025 and into 2026. The threat has been named, documented, and analyzed for years. The employees it targets still buy the gift cards — because knowing something exists and being prepared for it when it arrives at 9am on a Tuesday, in a text that looks like it came from your CEO, are two very different things.
Three reasons. First, gift cards are irreversible — once you send the code, there is no bank, no dispute mechanism, and no chargeback. Second, they're anonymous — a 16-digit code carries no name, no account number, and no traceable identity. Third, they're liquid — a gift card code can be converted to Bitcoin in minutes on peer-to-peer exchanges, far faster than a wire can be recalled. The tradeoff is that each attack nets less money than a wire. Attackers compensate by running gift card campaigns at far higher volume against a much wider pool of targets — any employee with a credit card, not just finance staff with wire access.
Act immediately — you have a narrow window. Call the gift card issuer directly using the number on the back of the card or on the receipt. Report the fraud and ask for the card to be frozen. Some issuers — Apple, Google, Amazon — have fraud programs that can freeze unredeemed value and return it. The FTC confirms this: if the scammer hasn't redeemed the code yet, the issuer may be able to recover the funds. The faster you call, the higher the chance. Also report to the FTC at ReportFraud.ftc.gov and to the FBI's IC3 at ic3.gov. Keep the physical card, the receipt, and any screenshots of the conversation. Your bank typically cannot help because you made the purchase voluntarily — the issuer is your best recovery path.
One check closes this immediately: call your CEO directly on a phone number you already have saved — not one provided in the message. Legitimate executives do not ask employees to purchase gift cards via text or email. The FBI states this plainly. If your CEO genuinely needed gift cards for a client event, that request would go through procurement or an EA with a purchase order, not a personal text to a random employee. The secrecy instruction — 'keep this between us,' 'it's a surprise' — is the most reliable tell. Real gift purchases at work don't require secrecy. Fraud does.
Apple Store cards dominate — they accounted for 54.9% of all gift card requests in BEC attacks tracked by Fortra's FIRE team in April 2026. Amazon is second at 26.4%. Google Play, Steam, and Airbnb also appear regularly. Apple's dominance reflects the laundering chain: Apple cards are the most actively traded for Bitcoin on peer-to-peer cryptocurrency platforms, and they carry the highest resale value per unit. When a scammer specifies Apple Store specifically, that specificity itself is a signal — attackers have learned which cards convert fastest and optimize for those brands.
In order: 1. Call the gift card issuer immediately and report the fraud — give them the card numbers and ask for a freeze. 2. Report to the FTC at ReportFraud.ftc.gov and the FBI at ic3.gov. Include all transaction details and any email or text screenshots. 3. Preserve everything — the purchase receipt, the card, the conversation thread. 4. Notify your IT or security team so they can determine whether the request came through corporate email (possible phishing infrastructure to block) or a personal device (different vector). 5. Do not shame the employee. Gift card BEC is specifically designed to target people who are new, helpful, or in a position where they wouldn't question the boss. The failure is a process gap, not a personal one. Use it to implement a verification phrase and explicit communication norm documentation before it happens again.
It's been the most prevalent BEC cash-out method continuously since 2018. In 2015, only 7% of scam victims reported losing money via gift cards. By end of 2018, over a quarter of all scams used gift cards as the cash-out mechanism. The FTC has been tracking this for years and issued a specific consumer alert in January 2026 titled 'No, that's not your boss asking you to buy gift cards.' What's new in 2026 is the delivery: attacks increasingly arrive via personal SMS rather than corporate email, specifically to bypass corporate email security scanning. The technique is old. The delivery is evolving.
New employees are the optimal target for two structural reasons. First, they don't know what the executive's communication style actually looks like — they have no baseline for whether the boss texts employees directly, or whether client gift purchases go through procurement. Second, they have strong motivation to be helpful and a reluctance to push back on authority in their first weeks. Attackers actively research LinkedIn new hire announcements and company websites for staff updates. A public post announcing a first week on the job is a targeting signal. The STACK Cybersecurity incident documented in June 2026 was triggered exactly this way — a new employee was contacted within days of their start.
Because most gift card BEC emails contain nothing technically malicious. No link. No attachment. No known phishing template. The message is just text — a casual request in plain language from what appears to be a known sender. Email gateways are built to detect malicious payloads, spoofed domains, and known-bad signatures. A gift card request that passes sender authentication checks and contains no scannable threat gives a gateway nothing to act on. The additional problem: a growing share of these attacks arrive via personal SMS, completely bypassing corporate email infrastructure entirely. Detection that can catch this has to evaluate intent and context — does this request make sense for this sender, to this recipient, in this organization — not just scan for technical threat signatures.
Immediately. Cofense's active engagement research documented codes being posted on peer-to-peer cryptocurrency exchanges within minutes of the victim sending the first photo — while the victim was still at the store purchasing additional cards. The laundering happens in parallel with the purchase, not after. By the time a victim calls to report the fraud, the codes have typically already been converted to Bitcoin and moved. This is why the recovery window is so narrow — if you don't call the gift card issuer within hours of sending the codes, the chance of recovering anything approaches zero.
A corporate verification phrase is a shared internal code word or phrase that employees use to verify sensitive requests from leadership — particularly any request involving a financial purchase. If someone claiming to be the CEO asks you to buy gift cards, you respond: 'Before I proceed, what's the verification phrase?' If they can't provide it, you escalate and don't proceed. It works because the attacker, however convincingly they've impersonated your CEO, cannot answer a question whose answer was never shared outside the organization and never transmitted electronically. STACK Cybersecurity documented this as one of the most effective low-cost controls against gift card BEC in their 2026 analysis. It costs nothing to implement, takes one team meeting to introduce, and defeats the attack completely.
Both, but small and mid-size businesses are disproportionately targeted. The FBI explicitly notes this. Larger organizations have formal procurement processes that create natural friction — a $500 gift card purchase that can't be authorized by a single employee without a PO number is harder to pull off. Smaller organizations often have informal approval cultures where an employee with a corporate card can make a routine purchase without secondary review. The per-attack value is lower against a small target, but the volume makes it worthwhile — attackers run hundreds of campaigns simultaneously using free webmail accounts, and the operational cost per attempt is near-zero.
Go to ReportFraud.ftc.gov and include: the date and time the request arrived, the platform it came through (email, SMS, social media), the number or address it came from, the gift card brands and amounts purchased, the store where you bought them, the receipt or order confirmation number, and screenshots of the full conversation. The more detail you provide, the more useful your report is for the FTC's pattern tracking — which feeds law enforcement action against organized BEC groups. Also report to the FBI at ic3.gov and to the gift card issuers directly. All three reports serve different purposes and none of them make the others redundant.
TRACE doesn't look for a malicious payload. It evaluates whether the communication makes sense — whether a request from this sender to this recipient, for this type of action, fits the established behavioral pattern of this organization. A gift card request from an executive's account to an employee they've never emailed directly, asking for something that has never appeared in this sender's communication history, generates a specific anomaly signal regardless of whether the message contains any technical threat signature. How TRACE powers real-time email threat prevention covers the full architecture. For gift card fraud specifically: the detection fires on the communication pattern, not the content — which is the only model that works against an attack designed to have no detectable content.
Be the first to get exclusive offers and the latest news
Deploy in minutes, not months. Zero tuning. See what your current tools are missing.