The Setup
It's 4:47 PM on a Friday. Sarah, an accountant at TechCorp, receives an urgent email:
Subject: URGENT - Need your help (Confidential)
Sarah,
I'm in an important meeting and can't talk. I need you to purchase 5 Amazon gift cards worth $200 each for client appreciation gifts. This is time-sensitive.
Buy them now and email me the codes. I'll reimburse you Monday. Don't tell anyone - it's a surprise for the team!
Thanks for your discretion,
John Smith, CEO
The Red Flags
This is a classic Business Email Compromise (BEC) attack. Let's break down what's suspicious:
- Urgency + Secrecy: "URGENT", "Confidential", "Don't tell anyone" - attackers create pressure and isolation
- Unusual Request: Gift cards are untraceable currency - real executives don't ask for them this way
- Timing: Late Friday = less time to verify, more pressure to act fast
- Email Domain: Look closely - it's "techcorp-secure.com" not the real "techcorp.com"
- No Phone Call: A real urgent request would warrant a call, not just email
Real-World Impact
In 2023, BEC attacks caused over $2.9 billion in losses. The average successful attack steals $125,000. These aren't random - attackers research companies, learn executive names, and time their attacks carefully.
How to Protect Yourself
Call or text the person directly using a known number - never reply to the suspicious email
Hover over the sender's name to see the actual address. Look for subtle misspellings
Gift cards, wire transfers, or password sharing are almost always scams
Forward suspicious emails to IT security - you might save a colleague from falling for it