Gift Cards Exponential growth

Gift card sales in the United States closed around 160 billion U.S. dollars in 2018. This signifies a huge upward growth trend, as gift card sales has nearly doubled since 2010.

giftcards_img_wd_anim

Gift card sales in the United States from
2006 to 2018 (in billion U.S. dollars)

chart-01

During the holiday season, it gets even more popular:

Gift cards have become a favorite among Americans during gift-giving seasons.

Deloitte’s 2018 Holiday Survey of Consumers found that during the 2018 gift-giving season, shoppers planned to spend $525 to purchase an average of 16 gifts, with gift cards as the most popular item. It also found that the percentage of people planning to give gift cards or gift certificates has increased by 10% over the last five years.

Top 10 items - plan on buying a gift
(% of shoppers)

chart-02

But scammers and fraudsters also love gift cards:

Gift cards provide scammers and fraudsters with numerous, virtually untraceable ways to steal. Gift cards are targeted by fraudsters because it’s easy to convert a gift card into money or merchandise. For many merchants, gift cards have the highest fraud attempt rates of all products sold.

 

Fraudsters will capitalize on peak sales periods because not only is it easier to hide within the surge of transactions, but many merchants loosen fraud controls during this time due to a lack of resources, or just to maximize sales.

Virtual gift cards are even easier to scam than physical gift cards, and they are growing in popularity due to the convenient delivery, flexibility of gift amounts, high level of personalization, and the fact that they allow several people to contribute to a single e-gift card.

Rather than risk a bad reputation with good customers, merchants will just bear the cost of honoring any gift card, regardless of its legitimate or fraudulent origin.

Because the conditions of use for gift cards are not standard, they can face a lot of creative fraud attempts. Fraud schemes involving gift cards range from the most traditional (ex. purchases with stolen data), to very creative (an alliance of clerks coordinating to practice fraud).

To illustrate how complex this can be, we listed some gift card fraud
schemes, from the most popular to the more creative ones:

  • Usage of stolen payment data for eGift card purchases
  • A variation of using stolen payment data for eGift card purchases
  • Account Takeover (ATO)
  • Acquiring numbers in bulk
  • Card Testing
  • Bots and trial & error
  • Data theft before gift cards are activated
  • Reroute miles and loyalty points
  • Buyers acting as an organized gang
  • Fraudsters buying and returning goods: some stores
  • Usage of browser cache for duplicate credits

Usage of stolen payment data for eGift card purchases

Usage of stolen payment data for eGift card purchases

This is the most popular type of fraud for electronic gift cards. Fraudsters use stolen credit card data to buy electronic gift cards, which are later sold in secondary marketplaces for cash. The cardholder later finds the fraudulent purchase and asks for the chargeback.

A variation of using stolen payment data for eGift card purchases

A variation of using stolen payment data for eGift card purchases

A fraudster places an order for goods using a stolen, but legitimate-looking credit card. That is, it utilizes the cardholder's actual personal and delivery information. Shortly after the transaction is approved, and before the cardholder realizes that the transaction has been fraudulent, the fraudster calls the store to cancel the transaction. Instead of having the refund be put on the credit card used for the purchase, the fraudster requests that the refund is placed on a gift card (which is generally not traceable). Upon receiving the gift card, the fraudster makes a new purchase with it. Later, the owner of the credit card notices the fraud and requests the chargeback, leaving the merchant at a loss.

Account Takeover (ATO)

Account Takeover (ATO):

In an ATO fraud scheme, fraudsters will leverage stolen login credentials to take over a consumer’s account, where they can update contact information so any customer service calls or emails get routed to the criminal. From there, criminals have many options to obtain gift cards: they can purchase multiple low dollar digital gift cards, transfer several amounts into one “master” account, or leverage a reputable account with a positive history of purchases to simply redeem a stolen e-gift card without scrutiny.

Acquiring numbers in bulk

Acquiring numbers in bulk

Fraudsters will acquire gift card numbers in bulk from merchants, issuers, reward programs, etc. This can be done through several methods, like phishing, SQL injection, social engineering, fraudulent employees, and accidental disclosure.

Card Testing

Card Testing

Fraudsters usually test stolen credit cards by purchasing low-priced items. Card testing can be leveraged to purchase small increments of electronic gift cards that can be consolidated into one large amount. Fraudsters have numerous reason to practice card testing, such as getting validation that stolen data is accurate or becoming familiar with a merchant’s fraud controls.

Bots and trial & error

Bots and trial & error

Many gift cards will require online activation before usage. Fraudsters can use bots to create millions of combinations of codes and test the systems in place, until a good combination is reached. Bots can also be used to find a match between a valid gift card number and a recently activated balance. Once the bot finds a match, hackers use the gift card themselves or sell it on the dark web.

Data theft before gift cards are activated

Data theft before gift cards are activated

Gift cards work essentially the same as credit cards, with the option of being used online based on manual key entry of its information, or with a magnetic stripe. Gift cards may or may not have an additional level of security, sometimes they have a PIN number covered with a coating that needs to be scratched off. In many stores, gift cards are sitting out in an accessible place, making them easy target for fraudsters. The magnetic stripe number can be copied, photographed, or read with a magnetic stripe reader. The PIN number protection can be scratched off and then replaced with stickers sold online. From there, it’s a waiting game. Most merchants offer a way to check gift card balances online or through call centers. The fraudsters will wait until the cards are activated by a legitimate purchase. And as soon as they are, they will transfer balances to another card, or sell the card.

Reroute miles and loyalty points

Reroute miles and loyalty points

Fraudsters can hack credit card rewards or travel loyalty accounts to quickly monetize the value of the credits into gift cards, which are hard to trace and can be easily converted into money. Usually, the site will give the fraudster a gift card number on the spot, which can be printed out and used in-store or online.

Buyers acting as an organized gang

Buyers acting as an organized gang

Some gift cards are activated at the moment that they are scanned at the cashier, and the money is stolen before the completion of the purchase. In this scenario, fraudsters come in pairs.

  • A

    Step 1: Fraudster 1 takes note of the number of the gift card.

  • B

    Step 2: Fraudster 2 brings the gift card to the cashier and asks for it to be loaded. The card is then scanned, therefore activated.

  • C

    Step 3: Fraudster 1 asks for a money transfer at the gift card call center, quickly draining the gift card of its value.

  • D

    Step 4: Fraudster 2 cancels the transaction at the cashier. Both fraudsters walk out with the funds, no purchase was even required.

Fraudsters buying and returning goods: some stores

Fraudsters buying and returning goods: some stores

Some stores offer a return policy where items can be returned for a store credit higher than the purchase amount.

This has the value of keeping the purchase with the store and keeping the customer coming back. Here is an example of how this would work: a fraudster buys a $50.00 dollar shirt, which later is returned for a 120% store credit; the fraudster now can purchase any item worth $60.00 dollars ($50.00 x 1.20); the fraudster then returns to the store and buys a $60.00 item, which had only cost him only $50.00.

While this setup is done with the permission of the store, if it is used repeatedly with the intention of scamming the store out of return credit and especially when coordinated with employees of the store, fraudsters can make big profits with this scheme.

Usage of browser cache for duplicate credits

Usage of browser cache for duplicate credits

A researcher impersonating a fraudster found an IT glitch that let him transfer balances between cards without deducting any value. By initiating two identical web transfers at once, the fraudster was able to trick the system into recording them both. Normally, you could take a $10 gift card and move that money to another $10 gift card, which would leave you with one empty gift card and one with a balance of $20. In this case, the fraudster was able to duplicate that transfer, giving him an empty gift card and a $30 gift card. When these accounts reach zero, many of them are automatically reloaded, giving fraudsters quick access to new funds on the empty cards.

  • 1

    3-Way Call to check balance: a person lists a legitimate gift card for sale on a reselling website. The fraudster impersonates a potential buyer and makes an offer and asks the seller to confirm the balance on the card by calling the merchant in a three-way call. The fraudster then records the touch tone numbers of the gift card as the seller enters it, and can then intercept the full card number. This gives him full access to the gift card without completing the purchase.

  • 2

    Clerk employees acting as an organized gang: as the buyer hands a gift card to the cashier for activation, the cashier activates a different card and hands the original back to the customer. The cashier racks up activated gift cards while handing out empty ones.

It’s easy to see how complex it might be to prevent gift card fraud

There’s no singular pattern used for these fraud methods, and since gift card fraud is used against both brick-and-mortar and ecommerce retailers, fraud prevention must involve multiple strategies and elements:

  • Data science techniques: retailers need to track the entire lifecycle of the gift card from purchase to redemption, looking for any behavior outside of the common patterns that can be further investigated. Outliers can raise flags that prevent gift cards from being instantly activated or used.
  • Internal controls processes: merchants should run several analysis to cross-reference influx of gift card fraud with employees, branches, promotions, etc. and see what patterns emerge. Retailers should have stringent reconciliation processes aimed at employee fraud, and question any big changes and anomalies that appear. Fraudsters usually act in organized groups and will place more than one fraudulent order at once.
  • Data security actions: merchants should make information security a priority in order to avoid IT glitches or data breaches than can lead to some of the fraud schemes described above.
  • Monitor gift cards trading sites: these sites are good ways to find fraudsters who have stolen card information or ordered gift cards with fraudulent information. Merchants should monitor these sites to avoid their brand being misrepresented.
  • Postpone the activation step: ensure that merchants and employees save the gift card activation for last when scanning a basket of products.

ClearSale helps merchants track their data in order to have a better understanding of the affect fraud has on their bottom line, how to look for specific trends that can mitigate fraud attempts, and how to find areas of the business that present risk potential.

On top of this, ClearSale has the most advanced, flexible, and comprehensive fraud protection solution for merchants to defend themselves against fraud.

Contact an account specialist today to learn more.

Get a Quote

Empower your business with ClearSale. Talk with a CNP fraud expert today.

Our Address

7300 Biscayne Boulevard, Miami, FL, 33138