Gift cards are popular gift ideas year-round and a favorite for scammers. Threat actors request them in social engineering schemes as they can be used as easily as cash, work as a payment method not linked to a specific person or entity, and do not have the same protections as credit or debit cards. In these schemes, threat actors send fraudulent requests to steal money from their targets primarily through email. To create legitimacy, threat actors often  spoof or impersonate trusted contacts such as family and friends. They also exploit organizations by impersonating positions of leadership or authority within an organization—including CEOs, other c-suite level executives, school principals, law enforcement, and religious leaders.

The NJCCIC continues to receive reports of fraudulent emails with gift card lures sent to New Jersey State employees, using direct phrases or questions to engage the target in further conversation. For example, threat actors send brief messages asking if the target has an Amazon account or shops on Amazon. The subject lines include keywords such as “favor,” “FYI,” and “Requesting.” If the target replies, the threat actors make an urgent request and attempt to convince their targets to purchase gift cards and then provide them with the gift card numbers and PINs on the back of them. This information allows the threat actors to use the gift card’s funds without having the physical card. Unfortunately, victims can suffer significant monetary losses, as they typically cannot recover the money used for purchasing the gift cards.

In another example, threat actors impersonated an executive at an educational institution but emailed the target from a Gmail account. They requested the target purchase multiple $200 Apple gift cards for other staff members with the promise of reimbursement. The victim sent the threat actors pictures of the back of the gift cards.

Requests to purchase gift cards are unusual requests or demands, typically portraying a sense of urgency; therefore, they should be handled with increased suspicion. Additionally, users who send unsolicited emails or messages on online platforms may violate account policies or terms of use and should be reported to the sender’s email provider or associated online platform.

Recommendations

• Refrain from complying with requests to purchase gift cards and sending the gift card numbers and PINs to someone without verifying the request through a separate means of communication.
• If gift card information is sent, immediately contact the company that issued the gift card to inquire if the funds are still on the gift card and can be frozen.
• Review the FTC’s Avoiding and Reporting Gift Card Scams, Amazon’s Common Gift Card Scams, and Apple’s Gift Card Scams for further information and resources.
• Report gift card scams and other malicious cyber activity to the NJCCIC, the FBI’s IC3, and the FTC.