We’ve written about it before, and we’ll write about it again: the gift card scam.  

It works. And it works A LOT. That’s why scammers keep coming back to it. 

When the leader of some organization has their information spoofed, and the scam goes public in the organization, here’s what usually happens: 

  1. Someone sends out an email “hey this isn’t me.” 
  2. Jokes are made about it, possibly including a kind of “who would fall for that scam” tone 
  3. Everyone forgets about it (well, except #1 below) 

But here’s what most people don’t consider: 

  1. The chances that someone in the organization DID fall for the scam are HIGH. 
  2. Those victims will not admit it out of shame and embarrassment, so no one else in the organization will ever find out. 
  3. Those victims often are “the most vulnerable” in the organization: a new hire at a medical office, an inexperienced or “lightly trained” employee at a law firm, or an elderly congregant at a church. These folks tend to be eager to please, quick to help, unclear on organizational policy, and/or inexperienced with technology. 
  4. Moreover, YOUR INFORMATION is now almost certainly for sale on the dark web. Whatever email list, contact list, or text chain was breached is now out there for anyone to buy.  

MOST IMPORTANTLY, while everyone in the organization forgot about it, that breach is still WIDE OPEN. That mechanism is still in place which allowed the scammer to get your information in the first place. What does this mean? Criminal access to even more vital information in your organization is a distinct possibility.  

How Does This Scam Work 

Example Situation 1 

  • A congregant at a church clicks on a phishing email. They are prompted to change their password and input their credentials.   
  • The scammer now has access to the congregant’s email. From there, he gets the pastor’s name and email addresses of other congregants from, say, a prayer chain email. 
  • The hacker spoofs the pastor’s email address (a close approximation to the real thing) and sends a “hey can you help me” email to the other congregants. 
  • That email chain also contains phone numbers, and so a partial congregant list of phone and email addresses is out on the dark web for sale. 

OR, worse, Situation 2: 

A staff member clicks on a phishing email. For all the world, the page looks exactly like a Google page or Microsoft page. The staff member is prompted for a password change. The staff member enters their credentials. Disaster follows, in one of several ways, while the staff member likely has no idea what happened. 

Now the scammer has access to a variety of contact information in the organization. This information is gleaned, is sold on the dark web, and voila, members in the organization start getting the gift card scam. 

BUT, in this case, the scammer also can get access to a wider variety of information on the organization’s network. They can monitor email traffic to see the normal pattern of payroll and invoicing, and when no one suspects, send another spoof message from payroll which looks entirely legitimate, but which redirects funds to the scammer’s bank account instead of an employee’s. 

OR, let’s say this staff member whose account has been breached also saves their passwords in their favorite browser. All of a sudden, those credentials are stolen, and every single account – whether it’s Pandora, or your line of business software, or your bank account – is open to the hacker. When we do our network assessment with potential clients, it is not unusual for us to uncover HUNDREDS of browser-saved credentials. 

So, what many see as a “run of the mill” scam can be an indicator of a massive problem for your organization, your employees, and your financial situation. 

If your organization has experienced this scam, or something like it, here’s what you need to do: 

You should immediately: 

  1. STOP publishing contact information in publicly available areas. Yes, this goes for even innocuous things like church bulletins or “Meet the Team” web pages with email addresses. A phone number and generic, public-facing email address are fine.  
  2. Ensure Endpoint Protection that secures desktops, laptops, and servers. This should include things like monitoring, updates, patching, password protection, and yes, antivirus. A note on antivirus: The old-school McAfee and Norton are outdated, incomplete tools. They are completely insufficient for modern day virus protection. Think of it like that Hummer H2 you aways wanted – it was cool for a while and then died in 2009. 
  3. Ensure your Email Security includes email filtering, encryption, and backup. 
  4. Ask about Whitelisting, in certain cases. That is, there are ways of preventing any new programs installing and running on your network (and if you DO need to install something new, your managed service provider can help manage that part for you). 

If that all sounds too much for you, it might be. You also might be thinking “well, our IT probably does most of that.”  But the reality is that these cybersecurity tolls, techniques, skills, and monitoring services are NOT basic IT. It’s entirely possible your IT tech may be doing some of these things, but more than likely, he will need some help in these areas so that he can focus on Help Desk-type tickets. 

3 Ways an IT MSP Can Help You Address This Issue

An IT managed service provider can step in to protect your organization before a scam turns into a full-blown breach. 

  1. An IT Managed Service Provider can secure your email environment with advanced filtering, spoofing protection, and multifactor authentication to block phishing attempts and prevent attackers from gaining access to accounts. 
  2. An IT MSP can audit your network and devices to remove unnecessary access, secure credentials, and identify weak areas.  
  3. An IT MSP provides IT planning and projection to keep your network up-to-date, secure, and efficient. The old adage rings true in the IT field: a failure to plan is a plan to fail.

Bonus: IT MSPs provide staff training and policy guidance so employees, volunteers, and members know how to recognize scams, verify requests, and safely handle sensitive information, creating a human firewall that complements technical defenses. 

Gift card and phishing scams may seem harmless at first, but they can quickly lead to serious breaches, stolen credentials, and financial loss. By securing your email, auditing accounts, and training staff, you can close the gaps scammers exploit and protect your organization’s data, finances, and reputation.