Gift cards are often seen as impersonal and a last-minute gift idea. But the fact of the matter is that both businesses and customers love them.
Gift card sales are projected to hit $510M by 2025, according to MagePlaza.
Unfortunately, bad agents also love how easy it is to use gift cards for fraud, scams and other nefarious deeds. Today’s post will break down how it works and how better Risk Operations (RiskOps) can improve your online store’s gift card fraud prevention.
What is Gift Card Fraud?
Gift card fraud includes any kind of fraudulent activity or scam that uses a gift card to accomplish its goal. It can involve a gift card seller, a fraudulent shop, an unscrupulous cashier or an online store customer.
Why Gift Card Fraud Works
There are many different ways gift cards are used in the context of fraud. But at their core, they tend to be successful because:
- Gift cards are anonymous: unlike credit cards, there is no real-life identity attached to them.
- They are easy to trade: there is a huge world of gift card traders and marketplaces.
- They are frictionless: paying with a gift card is as simple as entering numbers into a field. It’s fast and easy.
- They work both online and in-store: gift cards can be swiped, but the code also works online. Essentially, you only need the code to use the balance, which makes them very susceptible to fraudulent attacks using automated software or cloning.
Types of Gift Card Fraud
This type of fraud is quickly becoming one of the highest fraud risks of all online payment methods. Note that there are technical differences between gift cards, prepaid cards and vouchers, but we’ll be using all three terms interchangeably here.
The most common gift card fraud type is also the most obvious: fraudsters purchase them with stolen credit card numbers. By the time the merchant that issues the gift cards receives a chargeback request from the legitimate user, it’s too late to cancel or void it.
In this scenario, a victim receives a phone call, email or SMS prompting them to pay for a service. It’s usually urgent and usually something official-sounding, such as a utility bill, bank charge or postal delivery fee.
The fraudsters instruct the victim to purchase a gift card from their nearest retailer. They are asked to read the digit code over the phone or to send it.
While this may obviously sound like a scam, it should be noted that the average victim of this type of attack is over 65 years of age, as noted by HMRC.
A fraudster purchases an item from your store with a stolen credit card. They return it and ask for a refund on a gift card. You’ve guessed it, it’s so they can extract the money from the original card and store it on a gift card that isn’t traceable.
They can then purchase items with the gift card or simply resell them on a classified site.
This is probably one of the most complex and technically challenging forms of attacks here. It involves fraudsters who manage to hack into the company software (or use social engineering attacks and phishing) to access the software to generate gift card numbers.
It’s an infinite money cheat: fraudsters can simply generate the codes and update the data to print money themselves.
In other scenarios, criminals simply leak the gift card numbers, as seen with the Australian retailer Woolworths in 2015, when AU$1.3M worth of gift cards was made available on the dark web.
Account takeovers are the bane of online stores, but the purchases can be stopped before an item needs to be shipped. The more seasoned criminals, however, will purchase gift cards, which can be delivered immediately (digitally) and don’t raise too many suspicions.
Another sophisticated scam, but this one works against people selling gift cards. Let’s say you received a gift card and put it up for sale. An interested buyer gets in touch and asks if they can listen in on a call you make to the company to confirm the gift card balance.
As you type in the number into the company automated phone system, the buyer is recording the phone tones to extract the card code. By the time you realise what you’ve done, the scammer has the card code and can use it to purchase items online.
How Do I Report a Gift Card Scammer?
Unfortunately, there’s not much to do from the business side. You could contact a local police department but the best thing to do is to log information related to the scammer and to blacklist it.
Gift card numbers are easier to crack than credit card numbers because they’re not tied to a specific address or identity. So of course fraudsters and cybercriminals have built software that would simply try all the possible combinations on online store checkout forms.
You’ll notice that many retailers now refuse to tell you how much balance there is on your gift card online – they prefer sending a message via SMS or email, almost like 2FA for gift cards – this is done specifically to avoid giving away the balance information to these bots.
In this scam, a fraudster goes to a brick-and-mortar store, takes a gift card out of the packaging and writes down the number. They then place it back on the shelf.
A legitimate buyer purchases it and adds money to it. Meanwhile, the fraudster regularly checks the balance on the card until it finally goes up. They quickly make a purchase before the legitimate buyer can.
Note that some gift card manufacturers have added scratchable PINs to prevent these kinds of attacks. Thieves simply scratch them off and repaint over the PIN label or use stickers to cover them up.
Gift cards generally need to be activated over the phone or online. Fraudsters recreate these sites or intercept the phone calls to capture the gift card details themselves. This is particularly dangerous if you search for the gift card activation website online instead of typing the URL manually, as fraudsters can take advantage of search engines algorithms to place their websites at the top of the results page.
We’ve already covered triangulation fraud in our article on eCommerce fraud detection and prevention. The same principles apply to gift cards. In short, a fraudster sets up a seller account on a website such as eBay or Etsy and accepts gift card payments. They then purchase the same item from another store using a stolen credit card and ship you the order. They pocket the gift card balance, or simply use the number to make another payment elsewhere.
Double-dipping happens when someone uses the same gift card to make two purchases. How it works in practice is thanks to the popularity of online gift card reselling marketplaces.
Here’s how it works:
- A buyer offers you cash for an unwanted gift card.
- Instead of waiting for the card to arrive by post, they accept the gift code.
- The fraudster sells the gift code, and quickly uses the card to purchase something.
They’ve essentially sold the card balance and used it at the same time, hence the term double-dipping.
How eCommerce Merchants Should Protect Themselves
While the majority of scenarios above can be prevented by common sense (especially those involving buying or selling gift cards), there are numerous steps online stores should take when considering how to prevent that kind of fraud.
Track The Gift Card Data
While there are databases to track prepaid, gift and virtual cards, it’s probably wise to have an internal system for tracking the gift cards that are valid at your store. You could create a custom field in your fraud prevention engine, for instance, that looks specifically at data associated with the gift card numbers you’ve distributed.
Some fraud prevention tools also allow you to track custom fields to look for suspicious duplicates. You can use that to your advantage by generating a hash for every card and getting alerts if they’re used twice.
Increase Internal Controls
Whether it’s to control account takeovers (ATO) or to keep better watch on employee logins, you need a strong system in place to monitor what happens on your platform.
It’s also helpful to have a strong policy on refunds on gift cards – and it should be agreed upon by both the customer service team and risk management teams.
Monitor Gift Card Trading Sites
Check if gift card trading sites hold some relating to your store. It can be a simple but effective part of your risk management strategy to anticipate fraud, especially if you’ve seen seasonal spikes.
Delay Card Activation
Fraudsters employ hit-and-run tactics, rushing to pay with gift cards before exiting your store and disappearing without a trace. Make sure you push them to pay for transactions with a regular credit card before they can activate the gift card.
Boost IT Security
Because gift cards are often distributed internally by online stores, it’s your job to control access to that valuable data. There is an overlap between IT security and cybersecurity, especially if you want to avoid social engineering attacks.
Anticipate All Possible Online Store Risk Vectors
Gift cards have great benefits for the eCommerce industry, but offering them without a risk strategy could come back to haunt you. Because they’re pretty much untraceable, low-friction and transferable, they’re a fraudster’s favourite.
But they’re only the tip of the iceberg when it comes to reducing CNP (card not present) fraud. Make sure your business is prepared with tools that can work equally well to anticipate, block and investigate gift card fraud as other key attacks on online stores.
Learn more about our products
Jimmy is the CCO of SEON and brings his in-depth experience of fraud-fighting to assist fraud teams everywhere.