Your boss isn’t emailing you about a gift card, warns the US Federal Trade Commission

Did you receive an email from your boss asking you to send gift cards to pay for an upcoming office party? It's probably a scammer trying to trick you, warns the US Federal Trade Commission (FTC).

Before you go out and pay up, ask yourself: is that your boss? According to the FBI, business email compromise (BEC) is one of the most financially damaging online crimes. 

It is estimated that BEC schemes caused $1,8 billion worth of damage in the US last year.

In a BEC scam, criminals send an email message impersonating someone you know and trust, for example, the company's CEO. Here's how it can play out. 

"The scammer sends you an email impersonating your boss, either using a spoofed email address or by hacking into their account. They then make up a story about needing your help with something — an office surprise party, a company event, even a simple errand. 

Whatever the reason, they'll ask you to help by paying them with gift cards, promising to pay you back later. But once you hand over the gift card number and PIN, the money is gone," the FTC warns.

It can also be a vendor that your company regularly deals with, sending an invoice with an updated mailing address. Another example could be a homebuyer receiving a message from his title company with instructions on how to wire his down payment.

"Versions of these scenarios happened to real victims. All the messages were fake. And in each case, thousands—or even hundreds of thousands—of dollars were sent to criminals instead," the FBI explained.

A scammer might also use malicious software to infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages, so accountants or financial officers don't question payment requests. Malware also lets criminals gain undetected access to a victim's data, including passwords and financial account information.

Here's what the FTC recommends doing if you get an unexpected email from your boss asking for this kind of help:

1. Don't pay for anything with a gift card. Gift cards are for gifts, not for payments. If anyone asks you to pay with a gift card, it's a scam. 

2. Double-check with your supervisor. Call your boss using a known number — not something that was written in the email.

3. Take a pause. Can't reach your manager? Talk to a trusted coworker or friend. Tell them the situation and see what they would do. 

"Did you or someone you know pay a scammer? Find out what to do next. If you act quickly, sometimes (only sometimes), you can get your money back. But it's worth trying," the FTC claimed.

If you or your company have been scammed, The FBI recommends contacting your financial institution, the local FBI field office, and filing a complaint with the FBI's Internet Crime Complaint Center (IC3). You can also report a spotted scam at

Here's some additional information from the FBI on how to protect yourself:

1. Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.

2. Don't click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company's phone number on your own (don't use the one a potential scammer is providing), and call the company to ask if the request is legitimate.

3. Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.

4. Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.

5. Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.

6. Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in an account number or payment procedures with the person making the request.

7. Be especially wary if the requestor is pressing you to act quickly.

More from CyberNews:

Russia blocks NordVPN, ExpressVPN, and four other VPN providers

ProtonMail shared activist's IP with law enforcement, claims had no other choice

Infamous ransomware gangs are rebranding and preparing to strike

Report: these businesses are a perfect ransomware target

‘Amazon’s Choice’ best-selling TP-Link router ships with vulnerable firmware

In most cases, paying the ransom is the obvious way out - experts

Why does the U.S. want 'white hats' hacking satellites

The rise of digital currency and a world of e-money

Hybrid work is here to stay, but security concerns are high

Subscribe to our newsletter