AI is Writing 40% of Phishing Emails Now – Here's How to Spot the 'CEO Request' Scam

So here's a fun scenario: You get an email from your boss asking you to buy $500 in Amazon gift cards for a "client appreciation thing." They're in a meeting, can't talk, need you to handle it ASAP and just text them the codes. Seems reasonable, right? Except it's not your boss. It's a scammer who's about to walk away with your money.

This scam has a name: CEO fraud. Also called Business Email Compromise (BEC). And according to the FBI, it's now a $55 billion problem. That's billion with a B.

What's making it worse? AI. Scammers are using tools like ChatGPT to write emails that actually sound human. No more obvious grammar mistakes or weird phrasing that used to tip you off. Phishing attacks have increased by 1,265% since generative AI tools became mainstream in 2022.

Hand-drawn sketch of an email that looks like it's from the CEO but has subtle red flags

Why Gift Cards? Because They're Untraceable

You might wonder why scammers ask for gift cards instead of a wire transfer. Simple: gift cards are basically cash. Once you scratch off that code and send it to them, the money is gone. No bank to call. No transaction to reverse. Nothing.

And this isn't rare. Gift cards are requested in about two-thirds of all business email compromise attacks. The average request is around $1,200—big enough to hurt, small enough that you might not double-check before buying.

How the Scam Actually Works

Here's the playbook:

They research your company. LinkedIn makes this embarrassingly easy. They find out who the boss is, who handles money, who's new.
They create a fake email. Sometimes they hack a real account. Sometimes they just create one that looks similar—like [email protected] instead of .com.
They craft a convincing message. AI helps them match the tone and style of real business emails. No more "Dear Sir/Madam" nonsense.
They add urgency. "I'm in a meeting." "This is time-sensitive." "Don't call, just text." Anything to prevent you from verifying.
They collect the codes and disappear.

Simple diagram showing the steps of a CEO fraud scam from research to payout

The Red Flags That Give It Away

Even AI-written scams leave clues. Here's what to watch for:

Urgency + secrecy. "Do this now" plus "don't tell anyone" is a classic combo. Real bosses don't operate like this.
Gift card requests. Ever. No legitimate business transaction involves buying iTunes cards at Walgreens. If your boss is asking for gift cards, something is very wrong.
"Don't call me." If they discourage phone verification, that's because their voice would give them away.
Slightly off email address. Look at the actual email address, not just the display name. [email protected] is not [email protected].
Requests outside normal hours. Weekend emergencies are a favorite tactic because you can't easily verify.
Vague details. Real requests have context. "Client appreciation" with no client name? Suspicious.

The One-Sentence Rule That Stops 90% of These Scams

If someone asks you to move money or buy something, call them on a number you already have.

Not the number in the email. Not the number in their signature. A number you've called before, or look it up yourself.

That's it. That one step would prevent most of these scams. Scammers are betting you won't take 30 seconds to verify. Prove them wrong.

Sketch of a phone with text: Call to verify on a known number

What to Do If Your Business Gets Targeted

First, don't feel stupid. 68% of data breaches involve a human element—people clicking on things they shouldn't. It's designed to trick you. Smart people fall for it all the time.

If you catch it before sending money:

Report the email to your IT person (or forward it to your email provider's abuse address)
Tell your team so they know to watch for similar attempts
Block the sender

If you already sent the gift card codes:

Contact the gift card company immediately—sometimes they can freeze the cards
File a report with the FBI's Internet Crime Complaint Center
Document everything for your records

Simple Steps to Protect Your Business

You don't need expensive security software to stop most of these attacks. You need policies:

Two-person rule for money. Any transfer, gift card purchase, or bank change needs approval from two people. Period.
Verbal verification for anything urgent. If it's truly urgent, a 30-second phone call won't slow things down.
Train your team. Show them what these emails look like. Make it okay to question things. Better to ask a dumb question than lose $5,000.
Check your email security. At minimum, make sure your domain can't be easily spoofed. There are free tools to check this.

The AI Thing Is Only Getting Worse

Over 80% of phishing emails now use AI in some form—whether it's writing the text, personalizing the message, or helping evade spam filters. And the FBI reported a 37% rise in AI-assisted business email compromise in their latest report.

The grammar mistakes that used to be obvious red flags? AI fixed those. The awkward phrasing? Gone. These emails are getting better, which means you need to get better at spotting them through behavior patterns, not just typos.

The good news: scammers still rely on urgency and secrecy. That human element doesn't change. If something feels rushed or hush-hush, that's your signal to slow down and verify.

The Bottom Line

Your boss will never be mad at you for taking 30 seconds to verify a request. But they might be pretty upset if you send $2,000 in gift cards to a scammer in Nigeria.

When in doubt: pick up the phone.

Got questions about securing your business email or want help setting up verification policies? Give me a call. This stuff isn't complicated—it just needs to be set up right.