Is an email from my CEO asking me to urgently buy gift cards on behalf of the company a scam?
Almost certainly yes. This is a business email compromise scam, sometimes called a CEO fraud. No legitimate company uses gift cards for business payments.
Last reviewed: 10 June 2026
Explanation
CEO fraud begins with an email that appears to come from a senior executive — your CEO, CFO, or director — addressed to an employee who handles finances or has purchasing authority. The email explains that a confidential, time-sensitive business matter requires immediate purchase of gift cards from a major retailer. The recipient is asked to buy the cards, scratch off the PIN codes on the back, and email or text the codes directly.
The email address is either spoofed to look like the executive's real address or uses a domain one character different from the company's real domain. The urgency and the request for secrecy ('do not mention this to other colleagues') prevent the target from pausing to verify.
Gift card codes are as good as cash and untraceable once redeemed. Companies never use gift cards for legitimate business transactions. If your CFO genuinely needed an emergency payment, they would use the company's established banking channels with proper authorisation.
Whenever you receive an unusual financial request by email, verify it verbally by calling the executive directly on a number you already know — not a number provided in the email.
Common red flags
- Request for gift card purchase by email, often described as a personal favour
- Email asks you to keep the purchase confidential from other colleagues
- Sender's email domain is slightly different from the real company domain
- Unusual urgency and explanation that normal channels cannot be used
- Asks you to photograph or type out gift card PIN codes and send them
- The tone is uncharacteristic of how the executive normally communicates
What to do now
- Do not purchase any gift cards without verbal confirmation from the executive
- Call the executive directly using a number you already have saved — not one in the email
- Report the email to your IT or security team immediately
- If you already purchased cards, call the gift card issuer to report fraud before the codes are redeemed
- Forward the phishing email to your national fraud reporting agency
- Document the incident for your company's security records
Frequently asked questions
My company has no formal fraud training — what should I do now?
Raise the issue with management and suggest implementing a dual-authorisation policy for any payment over a threshold, plus a verbal confirmation rule for unusual requests.
What if I already sent the codes before realising?
Call the gift card issuer immediately with your receipt. Some issuers have fraud teams that can freeze unused card balances. Report to your company and to the FTC. Recovery is possible but time-sensitive.