Those “Boss Needs Gift Cards” Texts Are Targeting Small Businesses
You’ve probably gotten the text. It looks like it’s from the owner, or your manager: “Are you at your desk? I need you to pick up a few gift cards for a client — keep it between us, I’m stuck in a meeting.”
Let’s clear this one up first, because not everyone knows: that text is a scam. Every time. No legitimate boss asks an employee to go buy gift cards and send over the codes. But it works often enough that criminals send it by the millions — because in the moment, with someone waiting and your “boss” sounding rushed, it’s easy to act first and second-guess later. Plenty of good people at small businesses have been caught by exactly this.
Up to now, these scams have at least been catchable, because they tend to be clumsy: a number you don’t recognize, phrasing that’s a little off, a request that doesn’t quite fit how your boss actually talks. The fundamentals teach people to catch precisely that — check who it’s really from, be suspicious of urgency, and verify before you act.
That advice stops a lot of attacks, and it still matters. But here’s the problem: the clumsiness is disappearing. As of about a year ago, those fundamentals stopped being enough on their own — not because your people got worse at their jobs, or because the training was wrong, but because the attacker got an upgrade, and the defense now needs a second layer the basics were never designed to cover.
One of the easiest tells just disappeared
What made that gift card text catchable at all was the sloppiness. The same used to be true of scam emails. The classic phishing email gave itself away: broken English, a greeting that didn’t match, a sense that a human who barely spoke the language had hammered it out in a hurry. That clumsiness was one of the most reliable tells, and a lot of people learned to catch it.
Generative AI erased that particular tell. Today’s phishing email is fluent, on-brand, correctly formatted, and personalized with details scraped from your website and LinkedIn. Industry analyses now estimate that the large majority of phishing emails contain AI-generated content — and a growing share of business email compromise messages are written primarily by AI. The bad grammar is gone. The email reads like it came from a colleague because, functionally, it was written to.
To be clear, this doesn’t make the fundamentals useless — far from it. Checking the actual sender address, refusing to click links you weren’t expecting, and slowing down on anything that touches money still catch the overwhelming majority of attacks, which are still cheap and high-volume. Those habits matter more than ever. What’s changed is that “it was well-written, so it’s probably real” is no longer a safe assumption. One tell got taken off the table, and you can’t lean on it anymore.
That alone would be manageable. But the email is no longer the scary part.
The right instinct, with one dangerous loophole
Good training teaches the right reflex here: if a payment request seems off, don’t act on the message — verify it independently. Call the person. Call the bank. Confirm before money moves. That instinct is correct, and it’s still the single most valuable habit your team can have.
But there’s a loophole attackers have learned to drive through, and it comes down to which direction the call goes.
A usable clone of someone’s voice now takes only seconds of sample audio — and the owner’s voice is easy to find: a podcast interview, a webinar, a Facebook or YouTube video, a conference talk, even the voicemail greeting on the company line. The tools are cheap and require no skill. So the attack that should worry every business owner looks like this: the bookkeeper gets an email from the owner, and then a follow-up voice call that sounds exactly like the owner, “confirming” the urgent payment. The bookkeeper feels like they verified it. They didn’t — the confirmation was part of the attack.
It gets more aggressive. In the most advanced cases, attackers have run live video deepfakes on Teams and Zoom calls. The most cited example happened at a large engineering firm, where a finance employee joined a video call with people who looked and sounded like company leadership and authorized transfers totaling around $25 million — everyone on the call except the victim was synthetic. That was a big company with a big payout, but the exact same trick scales down to a fake video call from “the owner” to the one person who handles the bank account. You don’t need a Hollywood budget to fake a voice on a phone, and the people running these scams know small businesses are far less likely to have anything standing in the way.
Here’s the key distinction, and it’s the one to hammer home with your team: an inbound call, voicemail, or video — anything that comes to the employee — verifies nothing now, because the voice and face can be faked. What still works is outbound verification: hanging up and reaching the person yourself, on a number you already had on file, not one supplied in the request. “Call the bank directly” was always good advice. The update for 2026 is the word directly — on your terms, through your channel, not by trusting whatever called you.
Why small businesses are the easy target
You might assume this is an enterprise problem. It’s the opposite. Big companies have fraud departments, dual-approval systems, and treasury controls that make a single faked call insufficient to move money. Many small and mid-sized businesses don’t. The owner trusts the bookkeeper. The bookkeeper trusts a call from the boss. Money moves on a single human decision.
That’s exactly the gap these attacks are built to exploit. The FBI’s Internet Crime Complaint Center logged roughly $3 billion in reported business email compromise losses in 2025 alone — its second-costliest category of cybercrime — and that’s just the reported fraction, since most businesses never report it. SMBs aren’t collateral damage here. They’re the intended market.
We’ve written before that hackers don’t care that you’re a small business, and that the human element is the real front line. That’s more true than ever — Verizon’s Data Breach Investigations Report consistently finds that around 60% of breaches involve a human element rather than a purely technical exploit. What’s changed is that the people on that front line now need one more layer behind them — because some of these attacks are designed specifically to beat a well-trained, careful person who’s doing everything right.
Sharp eyes still help — they just can’t carry the whole load
Here’s what it comes down to: training your people to be alert is necessary, but when the email, the voice, and the video can all be faked convincingly, “spot it” can’t be the only thing standing between an attacker and your bank account. The fix isn’t to abandon the human layer — it’s to back it up with process: controls that hold even on the day someone’s having a rough morning and the fake is genuinely good.
The best part is that the most effective of these controls are cheap, low-tech, and entirely within reach for a small business:
- Out-of-band verification, every time. Any request to move money, change banking details, or buy gift cards gets confirmed through a separate, pre-established channel — a phone number you already had on file, not one provided in the request, and not by replying to the same thread. The channel is the point. A faked call coming indoesn’t count; you have to reach out on a number you already trust.
- A second set of eyes on money that moves. No single person should be able to send a payment or change vendor banking details on one say-so. In a bigger shop that’s formal dual sign-off; in a three-person business it can simply be a rule that the owner personally approves anything over a set dollar amount, in person or on a known number. Either way, “the boss told me to” becomes “two people confirmed it independently” — and that one rule defeats the majority of these scams outright.
- A verbal code word for urgent money requests. Low-tech and surprisingly effective. If the “boss” on the call can’t produce the agreed word, the request is dead, no matter how perfect the voice sounds.
- Slow down the urgency. Every one of these attacks runs on manufactured time pressure — the deal closes today, the vendor’s threatening to walk, the boss is about to board a flight. A standing rule that urgency increasesscrutiny rather than bypassing it removes the attacker’s favorite lever.
- Be mindful of what’s public. You can’t pull the owner’s voice off the internet, and you shouldn’t have to hide — but it’s worth knowing that public videos and recordings are raw material for a voice clone, and making sure everyone understands that hearing a familiar voice doesn’t verify anything on its own.
The point isn’t that any of these replace an alert employee — it’s that they don’t rely on one catching the fake. Trained people plus these controls is the combination that holds.
Where this fits with what you’re already doing
If you’ve started measuring human risk instead of training completions, you’re already ahead — this is the next layer on the same foundation. Training matters more than ever; people still need to know the fundamentals and understand how these newer attacks feel in the moment. The difference is that good training in 2026 teaches an updated reflex alongside the basics: not just “spot the fake,” but “follow the process especially when everything looks legitimate, because looking legitimate is exactly what the good ones do.”
That’s the whole idea. A careful, well-trained person is still your best asset — but the smartest move is to make sure they’re never the only thing standing between an attacker and your money. The rule that protects a business now is one you decide on in advance, in writing: money doesn’t move on a voice, a face, or a feeling. It moves on a verified process.
At CMHWorks, this is exactly the kind of practical, no-drama defense we help businesses put in place — security training that reflects how attacks actually work today, plus the verification controls and workflows that back your people up. Our cybersecurity training covers the fundamentals that still stop most attacks, and we help you build the process layer for the ones designed to slip past them. If you’re not sure your current process would survive a convincing phone call from “the boss,” that’s worth a conversation. Contact us and we’ll pressure-test it with you.
