Email & Text Messages: Legitimate or a Scam

While going about your day, you suddenly get a text from the CEO. The CEO needs your help now. They are In a meeting with customers and somebody else attended the meeting providing gift cards. Your CEO tells you this is an emergency and asks you to buy six $200 gift cards and instantly text the gift card information to them.

Your CEO, via text message, guarantees that they will pay you back prior to the day’s end. They also tell you, they’ll be out of touch for the next two hours so they will be unreachable via phone but they will be checking their text messages for the gift card information.  The CEO reiterates how time sensitive and urgent this request is.  They need those gift cards ASAP.

Would you hesitate before responding to this type of request, or would you immediately whip out your credit card and buy gift cards for your CEO?

A startling amount of employees can be taken hoodwinked by this gift card scam.  There are other versions of this scam – like your CEO has run out of gas, or they are on vacation and need money wired to them or they’re in a desperate situation and only you can help them.  

In our high tech world. cyberhackers deploy scams via email and text messages.  It happens this simply – the unsuspecting employee buys the gift cards for their CEO as requested and then sends back the numbers via text. In time, they realize that it wasn’t actually their real business’s CEO who contacted them, but a cyberhacker who just conned the employee out of $1200 of their personal funds.  

Trivia:  What percentage of employees who are not properly training to spot a phishing scam fall for it? 

15%
20%
25%
30%
40%

Why Do People Become Victims of Phishing Scams?

Many people are taken in by this gift card scam, despite the strange circumstances. Social engineering tactics are used by hackers. They use emotional appeals to encourage employees to comply with the request.

Some of these social engineering tactics illicit the following:

  • The employee is anxious about not fulfilling their superior’s expectations.
  • The employee eagerly grabs the opportunity to save the day.
  • The employee doesn’t want to disappoint their company.
  • The employee may feel there’s a possibility saving the day can advance their career


The scam is designed to get the employee to take action quickly, without considering the consequences or double-checking. Making people feel a sense of urgency is part of the process. The CEO requires the gift card information immediately. Furthermore, the message indicates that the CEO will be unreachable for a short period of time. By doing this, it lowers the likelihood that the worker will reach out to the actual CEO to confirm the legitimacy of the message.

Illinois Woman Falls Victim to Phishing Scam Costing Her More than $6,000

This type of scam is widespread and can cause huge losses financially. A company is not liable if an employee willingly chooses to participate in a fraudulent scheme by purchasing gift cards with their own money.

An example of someone who had significant financial loss was a woman from Palos Hills, Illinois; she lost over $6,000. She was prompted to take action after receiving an email from someone she believed to be her company’s CEO.

The woman was sent an email which she believed was from her boss and the company’s CEO. Her boss had indicated a desire to reward certain employees who had gone above and beyond with gift cards.

The email concluded with a request to help purchase some gift cards, which was not unusual given the boss’s positive reputation for looking after employees.

The woman purchased gift cards at Target and Best Buy as requested. After that, she received another request to provide a photo of the cards. The message was written in a way that was very believable and not threatening. The request stated, “Can you take a picture, I’m putting this all on a spreadsheet?”

The woman was tricked into buying nearly $6,500 worth of gift cards, which were then stolen by the scammer. Later, after the cards were purchased and photo of the cards sent, she crossed paths with her boss.  She discovered, her boss knew absolutely nothing about the gift card request and confirmed it was not him that sent the email. Devastated and in disbelief, she realized she was the victim of a scam.

How You Can Avoid Costly Phishing Scams

Educate Yourself

Cybersecurity awareness training is a necessity.  You and your team members will learn how to spot cyberattacks and protect themselves both professionally and personally.  Yearly and monthly training modules both comprehensive and mini refresh courses will help keep cybersecurity at the top of mind and keep their skills sharp in being a human firewall.  

Set Emotions Aside

A tactic scammers use often is they appeal to the victim’s emotions. They’ll attempt to get you to act or react before you have any time to think. They use a sense of urgency to get you to comply with their requests. If you take a few minutes to sit back and look at a message calmly and objectively, you can spot the flaws in the request and realize it’s a scam. Ask yourself some questions:

Is this an unusual request?
Why is this request coming to me?
Why is the amount of the request so high?
Who can I call to verify this request?
Why is the message so urgent?

Always Verify the Request

Regardless of what a message may say about an individual being unreachable, try to contact them in person or by phone. If you are asked to do something that seems strange or involves money, be sure to verify it. Verify its legitimacy by communicating with the individual in other ways.  Contact their assistant or other team members to validate the request or if the person is in fact in a meeting or traveling.  Reach out the person directly or someone that works directly with them.  You can even contact your IT department to have someone validate where the email came from.  More often than not, your IT department can see data on the firewall and the mail server you do not have access to and confirm if the request did come from the person who sent it.    

Trivia Answer

Question: What percentage of employees who are not properly training to spot a phishing scam fall for it?

If you said 30%, you are correct!  If not properly trained, 30% of employees are likely to be victims of phishing scams.

Interested in Cybersecurity Training For Your Team?

Intech-Hawaii has been offering cybersecurity training and simulated phishing emails to clients successfully for years now.  Learning doesn’t have to be a bore.  Each training module can be done online and at your own pace.  The modules are a mix of education and fun – some modules are even games.  These training modules benefit everyone professionally and personally.  If you want to learn how we can help make your team human firewalls against cybercriminals, reach out to us.