Earlier this year I joined the team at CultureAI, and like many, I shared the news on LinkedIn. Within weeks, I found myself at the receiving end of multiple phishing emails impersonating our CEO designed to exploit new employees. But rather than ignoring them, I thought it could be fun to play along, see where the rabbit hole led, and deep dive into the world of BEC and Gift Card scams.

Imagine it’s your first week at a new job! You’re eager to impress and an urgent email from the “CEO” lands in your inbox. The big boss needs you to do a quick favour and purchase several gift cards for “customer appreciation handouts”. Before you know it, you’re exchanging WhatsApp messages and grabbing gift cards from the shop. Only later do you realise you’ve been scammed by an attacker.

This scenario is alarmingly common, as scammers target new starters, exploiting their willingness to please and comply with authority. They’re not afraid to target cybersecurity professionals either, as I found myself receiving multiple new starter phishing emails when I joined CultureAI.

So, inspired by my own attackers, I decided to explore how these phishing scams work, why gift cards are used, and why WhatsApp has become their go-to tool.

 of January 2025 I publicly announced my new position as Lead Cybersecurity Researcher at CultureAI. At the same time, scammers were ready, scraping LinkedIn for fresh targets in their ongoing new starter campaigns.

Having worked in cybersecurity for a while, I know that anything we share online can be leveraged by attackers. But how do scammers identify new employees, craft believable pretexts, and send phishing emails so quickly - sometimes before you've even accessed your corporate email account?

It may seem as though scammers are monitoring you personally, but this is unlikely to be the case. Instead, they use 

 services combined with automated tools that scan social media for job updates and profile changes. These tools collect names, job titles, and company details, making it easy to generate probable corporate email addresses (e.g., first.last@company.com) for the initial contact phase of their attack.

With access to this information, attackers can create convincing emails that impersonate senior members of the team to pressure new starters into complying with their requests.

When I joined the company, I quickly received five emails claiming to be from our Founder and CEO, James Moore. They weren’t exactly sophisticated - and in this case were blocked - but they were interesting and followed classic phishing tactics: brevity, urgency, and an attempt to catch the recipient off guard. Here is one example:

From: James Moore <domainoutlooks@gmail.com>
Subject: VERY IMPORTANT!!!

HEY Oliver

Do you have a minute? I'm tied up in a conference call meeting and there 
is something I would want you to do requiring swift action. Kindly send 
me your whatsapp number here so i would brief you on what to do,

THANKS

An urgent message from a high-ranking individual and a request to move the conversation to WhatsApp? That was textbook phishing. However, many new employees unfamiliar with internal processes could easily fall for such an attack. Especially during that initial timeframe where they feel under pressure starting a new role.

As well as the above, I also received similar emails from:

To investigate, I grabbed a new SIM card and responded as though I had taken the bait. My goal was to see what the attackers were after. Would they send a malicious payload? Try to extract credentials? Something more elaborate and interesting?

To: domainoutlooks@gmail.com
Subject: RE: VERY IMPORTANT!!!

Hey James

Sorry. Just seen these emails.

Back from holiday now though. Dunno if you got what you were after 
sorted but my WhatsApp is:

[...MOBILE...]

Cheers,
- Ollie

Within minutes I received... the classic Apple Gift Card scam (Typical!)

Once I moved the conversation to WhatsApp, the scammer - still impersonating James - told me they needed me to purchase [Apple] gift cards immediately as handouts for an urgent presentation. Disappointingly predictable, but a reminder that these simple financial scams remain prevalent:

This wasn’t the sophisticated cyber-espionage attempt I wanted to dig into, but let’s see what we can learn from this.

I am fortunate enough that I can recognise these types of attacks, allowing me to go into the exchange willingly with my eyes wide open. However, many aspects of these attacks may not be obvious to a large percentage of victims, and targeted users might wonder why scammers would even operate in this way?

So are scammers just one person sat with a phone somewhere sending emails and making calls, hoping for the best? No. These attacks are often run by well organised criminal networks operating like a regular business.

 found that the Nigerian BEC group “London Blue” consisted of multiple divisions, including divisions for lead generation, social engineering / phishing, financial operations, and HR​.

In a 2021 Europol found that a BEC network they dismantled operated with a "

", where members specialised in different tasks. This included computer "experts" for creating phishing emails and fake domains, impersonators to handle victim communications, recruiters to manage money mules, and money-laundering / crypto experts to convert their proceed.

You might assume that a new starter’s eagerness to make a good impression increases their likelihood of falling victim to social engineering attacks designed to manipulate them into taking quick, unquestioned actions. And you’d be right!

A 2025 report by keepnet found that new starters were 

 to fall victim to phishing and social engineering attacks during their first 90 days at a new job. This is not surprising, as new starters are often unfamiliar with internal processes, making them more likely to comply with urgent requests from senior staff. Additionally, many new employees have yet to meet their colleagues, making it easier for scammers to impersonate others without raising suspicion.

WhatsApp is an incredibly popular messaging platform, with 

 aged 16-65 in the UK alone using it regularly. This widespread use makes it a highly attractive tool for attackers. A 

 exposed 500 million WhatsApp phone numbers, making it even easier for attackers to target WhatsApp users directly.

But why would attackers seek to shift communication from email to WhatsApp after establishing initial contact? There are two key reasons:

Historically, Business Email Compromise (BEC) scams primarily focused on fraudulent bank transactions. However, over the years scammers have increasingly turned to gift cards as their preferred method of fraud, with the gift card now being a signature for BEC. This initial shift was observed between 2017 and 2018, where FBI reported a huge 

 in gift card related BEC scams, with now nearly 

 of all reported BEC attacks leverage gift cards.

Unlike traditional bank transactions, gift cards offer anonymity, are difficult to trace, and can easily be resold or redeem. Once the serial numbers are shared, the funds are virtually irretrievable and can easily be sold locally or via 

. This ability for criminals to have a fast, untraceable payout ensures that the gift card scam isn’t going anywhere anytime soon.

Even now, these scams continue to rise. In 2023, the FBI’s IC3 report outlined a sharp surge in BEC-related losses, reaching 

 in 2020. Furthermore, a 2024 report by the Better Business Bureau found an additional 

Phishing and social engineering scams aren’t going anywhere and will continue to evolve. Awareness training is not enough, it is crucial that organisations adopt a multi-layered defence strategy, including:

Adopt Human Risk Management (HRM) Solutions:

This phishing campaign reminded me just how quickly and easily attackers exploit publicly available information to launch targeted attacks. By leveraging job announcements and impersonating authority figures, they rapidly create scams designed to pressure new unsuspecting employees into compliance.

The increasing shift to WhatsApp highlights an evolving approach to bypassing security controls, while the continued use of gift cards demonstrates how attackers prioritise low-risk, high-reward methods, even in a world where cryptocurrency scams could yield higher returns.

Technical controls are essential, but they must be paired with proactive Human Risk Management (HRM) technologies. Organisations must prioritise safeguarding of new employees before they fall victim to these evolving and persistent cyber threats.

Fortra – How BEC Scammers Validate New Targets with Blank Emails

https://emailsecurity.fortra.com/blog/how-bec-scammers-validate-new-targets-blank-emails

ThreatPost - BEC Scam Gang London Blue Evolves Tactics, Targets

https://threatpost.com/bec-scam-gang-london-blue-evolves-tactics-targets/143440/

Europol - 106 arrested in a sting against online fraudsters

https://www.europol.europa.eu/media-press/newsroom/news/106-arrested-in-sting-against-online-fraudsters

Keepnetlabs - Top 40 Phishing Statistics and Trends You Must Know in 2025

https://keepnetlabs.com/blog/top-phishing-statistics-and-trends-you-must-know

Sinch - The most popular messaging apps in the world by country

https://sinch.com/blog/most-popular-messaging-apps-in-the-world

Bitdefender - 500 million WhatsApp mobile phone numbers are up for grabs on the dark web

https://www.bitdefender.com/en-us/blog/hotforsecurity/500-million-whatsapp-mobile-phone-numbers-are-up-for-grabs-on-the-dark-web

Proofpoint – Understanding BEC Scams: Gift Card Scams

https://www.proofpoint.com/us/blog/threat-protection/understanding-bec-scams-gift-card-scams

KnowBe3 - Gift Cards Are Now the #1 BEC Cash-Out Mechanism for Fraudsters

https://blog.knowbe4.com/gift-cards-are-now-the-1-business-email-compromise-cash-out-mechanism-for-fraudsters

https://www.ic3.gov/AnnualReport/Reports/2023_IC3Report.pdf

TheSSlStore - A Look at U.S. Business Email Compromise Statistics (2024)

https://www.thesslstore.com/blog/business-email-compromise-statistics/

BBB - Growth of gift card scams causes retailers to innovate solutions

https://www.bbb.org/article/investigations/29516-bbb-study-growth-of-gift-card-scams-causes-retailers-to-innovate-solutions

Within weeks of stepping into a new role, I found myself receiving multiple phishing emails impersonating our CEO. Rather than ignoring them, I thought it could be fun to play along and deep dive into the world of BEC and Gift Card scams.

, Lead Cyber Security Researcher at CultureAI

By Oliver Simonnet, Lead Cyber Security Researcher at CultureAI

Recommended for you

Trouble Brewing - Dissecting a fake homebrew update that stole user data

Pixels, Polygons, and Payloads:Malware delivery in 3D software pipelines

The Rise of AI Abuse:A story of Criminal GPTs, DeepFakes, Data Breaches, AI Malware, and Agentic Sleeper Agents