"Can You Grab Some Gift Cards Real Quick?" Why That Message Is Almost Always a Scam

An employee gets a message that looks like it is from the boss. "Hey, are you at your desk? I'm tied up in a meeting and need a favor. Can you grab a few gift cards for a client, I'll pay you back. Just send me the codes when you have them. Keep it quiet, it's a surprise." It feels plausible. The boss is busy, the request is urgent, and the employee wants to help. So they go buy the cards, scratch off the backs, send the codes, and just like that, the money is gone, because there was no boss and no client. There was only a scammer who knew exactly which buttons to push.

This is one of the most common scams hitting businesses, and it is worth understanding for one simple reason: it is almost entirely preventable with a single rule. Once you and your team know how it works, it stops working. Let me break it down.

Why scammers love gift cards

Here is the question that unlocks everything: why gift cards specifically? Why not a wire, or a check, or cash? The answer reveals exactly why this is a scam every time.

Gift cards are the perfect tool for a criminal because they work like cash but are even better for them. Once someone has the codes off the back of a gift card, they can drain the value almost instantly, often from anywhere in the world. The money is nearly impossible to trace and almost never recoverable. There is no chargeback, no bank to call, no way to reverse it. A gift card code, once shared, is gone the way cash handed to a stranger is gone.

That is why scammers steer people toward gift cards over and over, in all kinds of cons: fake tech support, fake government threats, fake prize winnings, and the fake-boss request. So here is the rule that flows from it, and it is one of the most reliable in all of fraud: a legitimate business, person, or agency will essentially never ask you to pay them, or do them a favor, in gift cards. The IRS will not. Your utility company will not. A real vendor will not. And your actual boss, asking you to secretly buy gift cards and send the codes, almost certainly will not. A gift card request is, by itself, a giant red flag.

The version aimed at your business

The fake-boss gift card scam deserves special attention because it targets businesses so effectively. The scammer impersonates an owner, manager, or executive, often by spoofing their name in an email or text, sometimes after learning who is who at your company from your website or social media. They pick a moment, frequently when the boss seems plausibly unreachable, and they create pressure: it is urgent, it is a little secret, and they are counting on the employee's desire to be helpful and responsive to the higher-up.

Everything about it is engineered to short-circuit a person's better judgment: authority, urgency, secrecy, and the awkwardness of questioning the boss. The secrecy in particular is a tell, because its real purpose is to keep the employee from doing the one thing that would expose the scam, checking with someone.

The one rule that stops it

Here is the rule to share with your entire team, today: any request to buy gift cards, or to make any urgent or unusual payment, gets verified directly with the person it claims to come from, through a known, separate channel, before anyone acts. No exceptions, no matter how urgent it sounds or how much it looks like it came from the boss.

If a message appears to be from your manager asking for gift cards, the employee should reach the manager directly, by a phone number they already have or in person, and confirm. A real request survives that thirty-second check easily. A scam collapses the moment someone tries to verify it, which is exactly why scammers push for secrecy and speed.

Just as important, make sure your team feels safe doing this. Tell them clearly that you will never ask them to secretly buy gift cards, that you would much rather they double-check than get burned, and that questioning a suspicious request, even one that looks like it came from you, is always the right call and will never get them in trouble. Removing the fear of looking foolish or insubordinate is what makes the rule actually work.

How we think about it

The gift card scam is a pure example of social engineering, manipulating a person rather than breaking any technology, which is why the defense is mostly human, supported by good habits. It fits the simple framework we use at Red Door Shield, called KIT: Keep, Inspect, Trust. Keep what is valuable secure, including securing email accounts with multi-factor authentication so a real account is harder to hijack for these schemes. Inspect what is coming in, with email protections that catch many impersonation attempts before they land. And trust through validation, which is the entire defense here: you verify an unusual request through a known channel rather than trusting the name on the message. The scam runs on misplaced trust. Validation is how you take that fuel away.

What ready looks like

Picture the fake-boss message landing in an employee's inbox and, instead of a trip to the store, it gets a quick "hey, did you really just ask me to buy gift cards?" text to the real boss, a laugh, and a deleted message. The scam meets a team that knows the rule, and it simply fails. No money lost, just a story for the next staff meeting about the scammer who picked the wrong company.

That is what ready feels like. Not hoping no one on your team falls for it, but knowing they have the one rule that makes them scam-proof against this.

This scam is common because it works on good, helpful people caught off guard. The fix costs nothing: one clear rule, shared with your team, plus the reassurance that verifying is always welcome. Pass it along today. And if you want help building that kind of practical awareness across your business, alongside the protections that back it up, that is a conversation worth having.

Learn how to spot text message scams, read about deepfake voice scams, or see our guide on building a security culture.