Gift card sales in the United States closed around 160 billion U.S. dollars in 2018. This signifies a huge upward growth trend, as gift card sales has nearly doubled since 2010.
Deloitte’s 2018 Holiday Survey of Consumers found that during the 2018 gift-giving season, shoppers planned to spend $525 to purchase an average of 16 gifts, with gift cards as the most popular item. It also found that the percentage of people planning to give gift cards or gift certificates has increased by 10% over the last five years.
Gift cards provide scammers and fraudsters with numerous, virtually untraceable ways to steal. Gift cards are targeted by fraudsters because it’s easy to convert a gift card into money or merchandise. For many merchants, gift cards have the highest fraud attempt rates of all products sold.
Fraudsters will capitalize on peak sales periods because not only is it easier to hide within the surge of transactions, but many merchants loosen fraud controls during this time due to a lack of resources, or just to maximize sales.
Virtual gift cards are even easier to scam than physical gift cards, and they are growing in popularity due to the convenient delivery, flexibility of gift amounts, high level of personalization, and the fact that they allow several people to contribute to a single e-gift card.
Rather than risk a bad reputation with good customers, merchants will just bear the cost of honoring any gift card, regardless of its legitimate or fraudulent origin.
Because the conditions of use for gift cards are not standard, they can face a lot of creative fraud attempts. Fraud schemes involving gift cards range from the most traditional (ex. purchases with stolen data), to very creative (an alliance of clerks coordinating to practice fraud).
This is the most popular type of fraud for electronic gift cards. Fraudsters use stolen credit card data to buy electronic gift cards, which are later sold in secondary marketplaces for cash. The cardholder later finds the fraudulent purchase and asks for the chargeback.
A fraudster places an order for goods using a stolen, but legitimate-looking credit card. That is, it utilizes the cardholder's actual personal and delivery information. Shortly after the transaction is approved, and before the cardholder realizes that the transaction has been fraudulent, the fraudster calls the store to cancel the transaction. Instead of having the refund be put on the credit card used for the purchase, the fraudster requests that the refund is placed on a gift card (which is generally not traceable). Upon receiving the gift card, the fraudster makes a new purchase with it. Later, the owner of the credit card notices the fraud and requests the chargeback, leaving the merchant at a loss.
In an ATO fraud scheme, fraudsters will leverage stolen login credentials to take over a consumer’s account, where they can update contact information so any customer service calls or emails get routed to the criminal. From there, criminals have many options to obtain gift cards: they can purchase multiple low dollar digital gift cards, transfer several amounts into one “master” account, or leverage a reputable account with a positive history of purchases to simply redeem a stolen e-gift card without scrutiny.
Fraudsters will acquire gift card numbers in bulk from merchants, issuers, reward programs, etc. This can be done through several methods, like phishing, SQL injection, social engineering, fraudulent employees, and accidental disclosure.
Fraudsters usually test stolen credit cards by purchasing low-priced items. Card testing can be leveraged to purchase small increments of electronic gift cards that can be consolidated into one large amount. Fraudsters have numerous reason to practice card testing, such as getting validation that stolen data is accurate or becoming familiar with a merchant’s fraud controls.
Many gift cards will require online activation before usage. Fraudsters can use bots to create millions of combinations of codes and test the systems in place, until a good combination is reached. Bots can also be used to find a match between a valid gift card number and a recently activated balance. Once the bot finds a match, hackers use the gift card themselves or sell it on the dark web.
Gift cards work essentially the same as credit cards, with the option of being used online based on manual key entry of its information, or with a magnetic stripe. Gift cards may or may not have an additional level of security, sometimes they have a PIN number covered with a coating that needs to be scratched off. In many stores, gift cards are sitting out in an accessible place, making them easy target for fraudsters. The magnetic stripe number can be copied, photographed, or read with a magnetic stripe reader. The PIN number protection can be scratched off and then replaced with stickers sold online. From there, it’s a waiting game. Most merchants offer a way to check gift card balances online or through call centers. The fraudsters will wait until the cards are activated by a legitimate purchase. And as soon as they are, they will transfer balances to another card, or sell the card.
Fraudsters can hack credit card rewards or travel loyalty accounts to quickly monetize the value of the credits into gift cards, which are hard to trace and can be easily converted into money. Usually, the site will give the fraudster a gift card number on the spot, which can be printed out and used in-store or online.
Some gift cards are activated at the moment that they are scanned at the cashier, and the money is stolen before the completion of the purchase. In this scenario, fraudsters come in pairs.
Step 1: Fraudster 1 takes note of the number of the gift card.
Step 2: Fraudster 2 brings the gift card to the cashier and asks for it to be loaded. The card is then scanned, therefore activated.
Step 3: Fraudster 1 asks for a money transfer at the gift card call center, quickly draining the gift card of its value.
Step 4: Fraudster 2 cancels the transaction at the cashier. Both fraudsters walk out with the funds, no purchase was even required.
Some stores offer a return policy where items can be returned for a store credit higher than the purchase amount.
This has the value of keeping the purchase with the store and keeping the customer coming back. Here is an example of how this would work: a fraudster buys a $50.00 dollar shirt, which later is returned for a 120% store credit; the fraudster now can purchase any item worth $60.00 dollars ($50.00 x 1.20); the fraudster then returns to the store and buys a $60.00 item, which had only cost him only $50.00.
While this setup is done with the permission of the store, if it is used repeatedly with the intention of scamming the store out of return credit and especially when coordinated with employees of the store, fraudsters can make big profits with this scheme.
A researcher impersonating a fraudster found an IT glitch that let him transfer balances between cards without deducting any value. By initiating two identical web transfers at once, the fraudster was able to trick the system into recording them both. Normally, you could take a $10 gift card and move that money to another $10 gift card, which would leave you with one empty gift card and one with a balance of $20. In this case, the fraudster was able to duplicate that transfer, giving him an empty gift card and a $30 gift card. When these accounts reach zero, many of them are automatically reloaded, giving fraudsters quick access to new funds on the empty cards.
3-Way Call to check balance: a person lists a legitimate gift card for sale on a reselling website. The fraudster impersonates a potential buyer and makes an offer and asks the seller to confirm the balance on the card by calling the merchant in a three-way call. The fraudster then records the touch tone numbers of the gift card as the seller enters it, and can then intercept the full card number. This gives him full access to the gift card without completing the purchase.
Clerk employees acting as an organized gang: as the buyer hands a gift card to the cashier for activation, the cashier activates a different card and hands the original back to the customer. The cashier racks up activated gift cards while handing out empty ones.
ClearSale helps merchants track their data in order to have a better understanding of the affect fraud has on their bottom line, how to look for specific trends that can mitigate fraud attempts, and how to find areas of the business that present risk potential.