Why Gift Card Scams Are Getting Trickier to Spot

This article originally appeared in SC Media.

The holiday season is at its peak—and so are social engineering scams. With security teams stretched thin and racing to wrap up big projects before a well-earned break, it’s not unusual for employee vigilance to fall by the wayside. That, combined with the year-end spike in corporate gifting and employee appreciation efforts, makes December the perfect time for cybercriminals to strike with a popular attack: the CEO gift card scam.

Making matters much worse, threat actors have armed themselves with new tactics for slipping past traditional security tools and deceiving well-meaning employees. Security leaders who underestimate this rapidly-advancing threat and fail to strategize accordingly could end the year with a massive headache.

Over the past decade, threat actors have increasingly turned to business email compromise (BEC) attacks, impersonating trusted entities and convincing targets to take a seemingly routine action, like updating payment account details. A CEO gift card scam is a sub-type of BEC attack in which a cybercriminal impersonates a CEO or other high-level authority figure and manipulates an employee into purchasing several gift cards—often under the guise of using them for employee gifts or sales incentives.

As with all BEC attacks, gift card fraudsters rely on social engineering techniques—like creating a sense of urgency or wielding authority—rather than brute force tactics or email attachments infected with malware. For example, they might tell the employee they need the gift card details within a couple of hours, pressuring the target to take action before they can second-guess the request.

Because this scam begins as a text-only message and often originates from a legitimate domain, it’s less likely to tip off legacy products like secure email gateways (SEGs) than an email with a suspicious link or attached file. And while the scam usually starts via email, some attackers eventually move the conversation to SMS or even a phone call to further evade detection.

Despite increased focus on security awareness efforts that educate employees on identifying gift card scams and other common email threats, these attacks are becoming more sophisticated and nearly impossible to spot.

For example, instead of using dubious-looking email addresses, cybercriminals are increasingly using spoof tactics to mimic known display names, or using free webmail services like Gmail to create usernames with an impersonated executive’s name. In some cases, threat actors use lookalike domains or compromised email accounts, which are even less likely to arouse suspicion—especially for busy employees with overflowing inboxes.

And while many companies use email threat detection tools programmed to recognize common indicators of compromise like frequently used text strings, cybercriminals have advanced their approaches. To bypass SEGs, some attackers use foreign character substitution, which replaces letters with lookalike characters, like replacing a capital “I” with an exclamation point.

Generative AI also came into play over the last year, with many threat actors abandoning templated campaigns for weaponized generative AI to quickly create unique, professional-looking, error-free email messages that closely mimic conversations by the person they’re impersonating—thus increasing their ability to evade detection software.

Going hand in hand with this has been the pervasiveness of social media accounts. Today’s cybercriminals have so many online sources they can use to research the executives and employees they are impersonating and targeting, helping them understand these relationships to ensure their email blends seamlessly into everyday communications. This way, a request to purchase several gift cards as client gifts or year-end bonuses won’t seem like it’s come from left field.

The recent explosion in malicious generative AI and cybercrime-as-a-service tools has made it easier than ever for criminals to wage attacks. Because attacks like CEO gift card scams no longer require advanced technical expertise, they’ll likely become more frequent—especially at the end of the year when employees are most distracted.

While traditional security tools are still effective in detecting less sophisticated threats, like mass phishing campaigns, mitigating advanced attacks requires a more complex strategy. In addition to keeping employees educated on emerging attack types and cybersecurity trends—and how to spot them—it’s also vital to adopt advanced detection technology that prevents scams from reaching employee inboxes in the first place.

As we move further into the holiday season—traditionally one of the most active times for cybercriminals—it’s more important than ever for security leaders to strengthen their organization’s defenses. It will take a multi-pronged approach to protect against sophisticated email attacks today and into the new year.

For even more insights into the emerging threat landscape and predictions for where it’s headed, download our white paper, Inbox Under Siege: 5 Email Attacks You Need to Know for 2025.