How to Set Up an AML Compliance Program

by Jimmy Fong
Gift cards are often seen as impersonal and a last-minute gift idea. But the fact of the matter is that both businesses and customers love them and the convenience and flexibility they involve.
Gift card sales are projected to hit $510M by 2025, according to MagePlaza.
Unfortunately, bad agents also love how easy it is to use gift cards for fraud, scams, and other nefarious deeds. Today’s post will break down how it works and how better risk operations (RiskOps) can improve your online store’s gift card fraud prevention.
Gift card fraud includes any kind of fraudulent activity or scam that uses a gift card to accomplish its goal. It can involve a gift card seller, a fraudulent shop, an unscrupulous cashier, or an online shopper.
There are many different ways gift cards are used in the context of fraud. Gift card fraud can take place in a variety of ways including cloning, theft, account takeover, or exploiting errors on the merchant side.
Fraudsters can use a gift card to easily convert it into either money or merchandise, or make smaller individual transactions using a method that, in some cases, is practically untraceable. For example, certain complex fraud schemes set up phony subscriptions and applications to launder money via Google Play store vouchers.
SEON’s anti-fraud tools are designed to detect suspicious usage and uncover hidden fraudsters
Book a Demo
There are a number of gift card fraud techniques out there. Here are the six most popular techniques used by fraudsters.
Please note that there are technical differences between gift cards, prepaid cards and vouchers, but we’ll be using all three terms interchangeably here, as they have very similar uses in the context of fraud.
The most common gift card fraud type is also the most obvious: Fraudsters purchase them with stolen credit card numbers. By the time the merchant that issued the gift cards receives a chargeback request from the legitimate cardholder, it’s too late to cancel or void it.
In this scenario, a victim receives a phone call, email or SMS prompting them to pay for a service. It’s usually urgent and usually something official-sounding, such as a utility bill, bank charge or postal delivery fee. The fraudsters instruct the victim to purchase a gift card from their nearest retailer. They are asked to read the digit code over the phone or to send it. Because gift cards are more difficult to trace than bank transfers, this method is more likely to work in the fraudster’s favor.
A fraudster purchases an item from your store with a stolen credit card. They return it and ask for a refund on a gift card. Why? You’ve guessed it! It’s so they can extract the money from the original card and store it on a gift card that isn’t traceable. They can then purchase items with the gift card or simply resell it on a classifieds site.
This is probably one of the most complex and technically challenging forms of attacks on our list. It involves fraudsters who manage to hack into the company’s network (or use social engineering attacks and phishing) to access the software that generates the shop’s gift card numbers and create some for their own use. In other scenarios, these hackers simply leak the gift card numbers, as seen with the Australian retailer Woolworths in 2015, when AUD 1.3 million/USD 1 million’s worth of gift cards was made available on the dark web.
Account takeovers are the bane of online stores but fraudulent purchases can be stopped before an item is shipped. More seasoned criminals, however, will purchase gift cards instead, which can be delivered immediately (digitally) and don’t raise too many suspicions.
This scam targets people selling gift cards. Let’s say you’ve received a gift card and put it up for sale. An interested buyer gets in touch but they say they need to know you’re being honest, so they ask to listen in on a call you make to the issuer to confirm the gift card balance. As you type in the number into the automated phone system that will confirm the balance, the buyer is recording the phone’s tones, from which they will extract the card code. By the time you realize what you’ve done, the scammer has the gift card’s card code and can use it to purchase items online.
Gift card numbers are easier to crack than credit card numbers because they’re not tied to a specific address or identity. So it’s no surprise that fraudsters and cybercriminals have built software that will simply try all the possible combinations on online stores’ checkout forms.
You’ll notice that many retailers now refuse to tell you on their website how much balance there is on your gift card. They prefer sending a message via SMS or email, almost like 2FA for gift cards. This is done specifically to avoid giving away the balance information to such bots.
In this scam, a fraudster goes to a brick-and-mortar store, takes a gift card out of the packaging and writes down the number. They then place it back on the shelf.
At some point, a legitimate buyer will purchase it and add money to it. Meanwhile, the fraudster regularly checks the balance on the card until it finally goes up. They quickly make a purchase before the legitimate buyer can.
Note that some gift card manufacturers have added scratchable PINs to prevent these kinds of attacks. But this doesn’t always work either; thieves simply scratch them off and repaint over the PIN label or use stickers to cover them up.
Gift cards generally need to be activated over the phone or online. Fraudsters recreate these sites or intercept these phone calls to capture the gift card’s details. This is particularly dangerous if you search for the gift card activation website online instead of typing the URL manually, as fraudsters can exploit search engines’ algorithms to place their fake websites at the top of the results.
We’ve already covered triangulation fraud in our article on ecommerce fraud detection and prevention. The same principles apply to gift cards. In short, a fraudster sets up a seller account on a website such as eBay or Etsy, and accepts gift card payments. When you place an order, they purchase the same item from another store using a stolen credit card, and arrange for the order to be shipped to you. They pocket the gift card balance, or simply use it to make another payment elsewhere.
Double dipping is when someone uses the same gift card to make two purchases. This method works thanks to the popularity of online gift card reselling marketplaces. Here’s a quick breakdown:
They’ve essentially sold the card balance and used it at the same time, hence the term double dipping.
While the majority of scenarios above can be prevented by common sense (especially those involving buying or selling gift cards), there are numerous steps online stores can take when considering how to prevent gift card fraud.
While there are databases to track prepaid, gift and virtual cards, it’s probably wise to have an internal system for tracking the gift cards that are valid at your store. You could create a custom field in your fraud prevention engine, for instance, which looks specifically at data associated with the gift card numbers you’ve distributed.
Some fraud prevention tools also allow you to track custom fields to look for suspicious duplicates. You can use that to your advantage by generating a hash for every card and receiving alerts if they’re used twice.
Whether it’s to control account takeovers (ATO) or to keep better watch on employee logins, you need a strong system in place to monitor what happens on your platform.
It’s also helpful to have a strong policy on refunds on gift cards – which should be decided by both the customer service team and the risk management team.
Check if gift card trading sites hold any that relate to your store. It can be a simple but effective part of your risk management strategy to anticipate fraud, especially if you’ve seen seasonal spikes.
Fraudsters employ hit-and-run tactics, rushing to pay with gift cards before exiting your store and disappearing without a trace. You can choose to push new users to pay for transactions with a regular credit card before they can activate their gift card.
Because gift cards are often distributed internally by online stores, it’s your job to control access to that valuable data. There is an overlap between IT security and cybersecurity that is best addressed, especially if you want to avoid social engineering attacks.
Gift cards have great benefits for the ecommerce industry, but offering them without a risk strategy could come back to haunt you. Because they’re pretty much untraceable, low-friction and transferable, they’re a fraudster’s favorite.
But gift cards are only the tip of the iceberg when it comes to reducing CNP (card not present) fraud. Make sure your business is prepared with tools that can work equally well to anticipate, block and investigate card fraud as well as other key attacks on online stores.
SEON offers a complete set of fraud fighting tools that grow with your business
Book a Demo
Unfortunately, there’s not much to do from the business side. You could contact a local police department but the best thing to do is to log as much information as possible related to the scammer and blacklist it.
As an ecommerce brand, it is a good idea to educate your customers on gift card fraud, especially if you’ve noticed an increase in attempts. This could be as simple as writing an informative blog article, email newsletter or social media post with a handful of general tips and best practices.
You might also be interested in…
Data Enrichment | Browser Fingerprinting | Device Fingerprinting | Fraud Detection API
Showing all with `` tag
Click here
Jimmy Fong is the Chief Commercial Officer of SEON. His expertise in payments saw him supervise the acquisitions of companies by Ingenico, Visa and American Express. Jimmy’s enthusiasm for transparent sales and Product-Led-Growth companies drives SEON’s global expansion strategy, and he interviews both fraud managers and darknet fraudsters in our podcast to stay on top of the latest risk trends. Yes, it’s also him wearing the bear suit on our YouTube channel.
The top stories of the month delivered straight to your inbox