Date: Friday, March 12, 2021

File: 21-9141

Victoria, BC – VicPD investigators are warning the public after professional fraudsters, claiming to be a CEO, victimized a new staff member and stole $1,000 in a sophisticated “internal email” cybercrime involving impersonation, phishing emails and gift cards.

The victim reported to officers that they had received a phishing email from an internal email address that very closely resembled that of the organization’s CEO. As a direct report, the victim responded right away. In this sophisticated scam, the fraudster directed the staff member to run a high-priority errand. Pretending to be the CEO, the fraudster told the victim that they were in an urgent meeting and could only communicate by email. The fraudster then directed the staff member to purchase ten gift cards of $100 each.

When the employee asked to use the CEO’s credit card for the purchase, the fraudster increased the sense of urgency, indicating that this was an immediate need and assuring the victim that they would be refunded if they used their own credit card. Convinced by the sophistication of the scam, the staff member purchased the gift cards, and when directed, shared the numbers from the back of the gift cards with the fraudster.

The employee then brought the gift cards to the CEO, at which point she learned she had been the victim of a sophisticated fraud.

The organization had previously been targeted by phishing attacks, but as a newer member of the team, the targeted employee had not yet received training created to avoid these sophisticated frauds. While officers are investigating, it is unlikely the employee’s funds will be recovered.


How to protect yourself | Phishing “internal email” scams rely on an employee’s dedicated sense of service, impersonation, high-pressure circumstances, a sense of urgency and technology to be successful. If someone emails you claiming to be your boss and directs you to make an immediate purchase, be suspicious. Instead of replying to that email, create a new email back to your boss to confirm the purchase request. Use another form of communication such as text, a phone call, or an internal messaging service to confirm the details of that second email communication.

Employers can also protect themselves and their team by creating and instituting purchasing policies that include required phone call or in-person verification for purchase requests. While the organization had created effective internal training to help protect against phishing frauds, the employee had not yet received it. Making anti-fraud training a priority for new employees, particularly those who report directly to decision-makers with purchasing authority, can protect your organization.

Cybercriminals trade in fraudulently purchased gift cards. If your organization often gives these cards, purchasing a small number of these cards to keep secured can eliminate the risk of this key method of exploitation.

Creating time pressure and a sense of urgency is a key social engineering tactic that cybercriminals use to execute frauds. If someone claiming to be your boss contacts you by email and applies an immediate sense of urgency to make a gift card purchase, be wary. It’s most likely a fraud.

You can learn more about how to protect yourself, your family and your organization from fraud by visiting If you have fallen victim to a fraud, stop payment immediately, contact your financial institution and call our Report Desk at (250) 995-7654 extension 1.

If you think you or someone you know has been a victim of an attempted fraud, please contact the Canadian Anti-Fraud Centre at 1-888-495-8501 or report online at