An urgent message from the boss asking an employee to quietly buy gift cards is one of the most common scams aimed at small teams. Here is the exact playbook and how to stop it cold.
It sounds almost too simple to be a real threat: a message from the boss asking an employee to buy some gift cards and send over the codes. And yet this exact scam separates small businesses from their money week after week. It works not because people are careless, but because it's engineered to bypass careful thinking.
How the play unfolds
The pattern is remarkably consistent.
An employee — often someone newer, or in a support role, or simply eager to help — gets a message that appears to be from the owner or a senior manager. It might be an email from a look-alike address, or a text from an unknown number that opens with the boss's name. The tone is warm but rushed: "Are you at your desk? I need a quick favor and I'm stuck in meetings."
Once the employee replies, the ask arrives. The company needs to buy gift cards — for client gifts, employee rewards, a vendor, a surprise. Could they grab a few from the store and send photos of the codes? It's urgent, it has to happen now, and please keep it quiet because it's a surprise.
The employee, wanting to be helpful and not wanting to bother a busy executive with questions, goes to the store, buys the cards, and sends the codes. The moment those codes are sent, the money is gone. Gift cards are nearly impossible to trace or reverse, which is exactly why scammers love them.
Why it works on capable people
This scam is a masterclass in social-engineering levers, all stacked together:
- Authority — it comes from the boss, so questioning it feels risky.
- Urgency — the rush is manufactured to prevent a pause.
- Secrecy — "keep it between us" cuts off the one thing that would expose the scam: asking a colleague.
- Helpfulness — the request is framed as a small favor, and most people want to be useful.
- Plausibility — companies really do buy gift cards sometimes, so nothing about the request is inherently absurd.
Put together, these pressures push a reasonable person to act before the obvious question — wait, why is the owner texting me from a strange number to secretly buy gift cards? — ever surfaces.
The signs, once you know them
Stripped of the pressure, the tells are clear:
- The request comes from a new number, a slightly-off email address, or a channel the person doesn't normally use.
- It's urgent and insists on speed.
- It asks for secrecy.
- It involves gift cards, prepaid cards, or any payment that can't be reversed.
- The "boss" is conveniently unreachable for a normal back-and-forth.
Any one of these deserves a second look. Two or more together is almost always a scam.
How to stop it for good
The fix is a simple, explicit team agreement, stated out loud so everyone knows it:
- No one at this company will ever ask you to buy gift cards by text or email. If a message does, it's fake — full stop. Making this a known rule removes the authority pressure entirely.
- Any unusual money request gets verified by voice, on a number already saved for that person, before anything is bought. "Let me just call you to confirm" is always acceptable.
- Secrecy is a red flag, not a reason to comply. Legitimate requests survive a colleague asking, "Hey, did you really want me to do this?"
- Tell new hires about this scam on day one. They're frequently the target precisely because they don't yet know what's normal.
When a whole team knows the rule, the scam has nothing to grab onto. The fake boss can text all they want; the answer is a calm phone call to the real one.
This particular scam usually rides in through email, so the surrounding settings matter too — whether outsiders can easily impersonate your domain, whether external senders are clearly marked, whether a compromised mailbox could quietly send these messages internally. Tenant Strike reviews those Microsoft 365 settings in read-only mode and shows, in plain English, where your business is easiest to impersonate and what to tighten.
AI-researched from public sources. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.