Gift Card Fraud: How to Prevent and Detect It in 2022

Gift cards are often seen as impersonal and a last-minute gift idea. But the fact of the matter is that both businesses and customers love them and the convenience and flexibility they involve.

Gift card sales are projected to hit $510M by 2025, according to MagePlaza. 

Unfortunately, bad agents also love how easy it is to use gift cards for fraud, scams, and other nefarious deeds. Today’s post will break down how it works and how better risk operations (RiskOps) can improve your online store’s gift card fraud prevention. 

What Is Gift Card Fraud?

Gift card fraud includes any kind of fraudulent activity or scam that uses a gift card to accomplish its goal. It can involve a gift card seller, a fraudulent shop, an unscrupulous cashier, or an online shopper.  

How Does Gift Card Fraud Work?

There are many different ways gift cards are used in the context of fraud. Gift card fraud can take place in a variety of ways including cloning, theft, account takeover, or exploiting errors on the merchant side.

Fraudsters can use a gift card to easily convert it into either money or merchandise, or make smaller individual transactions using a method that, in some cases, is practically untraceable. For example, certain complex fraud schemes set up phony subscriptions and applications to launder money via Google Play store vouchers.

Why Is Gift Card Fraud So Successful?

• Gift cards are anonymous: Unlike credit cards, there is no real-life identity attached to gift cards.
• They are easy to trade: There is a huge world of gift card traders and marketplaces.
• They are frictionless: Paying with a gift card is as simple as entering numbers into a field. It’s fast and easy – much more so than debit and credit cards.
• They work both online and in-store: Gift cards can be swiped, but their code also works online. Essentially, you only need the code to use the balance, which makes them very susceptible to fraudulent attacks using automated software or cloning.

11 Examples of Gift Card Fraud

There are a number of gift card fraud techniques out there. Here are the six most popular techniques used by fraudsters.

Please note that there are technical differences between gift cards, prepaid cards and vouchers, but we’ll be using all three terms interchangeably here, as they have very similar uses in the context of fraud.

1. Gift Card Chargeback

The most common gift card fraud type is also the most obvious: Fraudsters purchase them with stolen credit card numbers. By the time the merchant that issued the gift cards receives a chargeback request from the legitimate cardholder, it’s too late to cancel or void it. 

2. Pay with Gift Card Scam

In this scenario, a victim receives a phone call, email or SMS prompting them to pay for a service. It’s usually urgent and usually something official-sounding, such as a utility bill, bank charge or postal delivery fee. The fraudsters instruct the victim to purchase a gift card from their nearest retailer. They are asked to read the digit code over the phone or to send it. Because gift cards are more difficult to trace than bank transfers, this method is more likely to work in the fraudster’s favor.

3. Gift Card Return Fraud

A fraudster purchases an item from your store with a stolen credit card. They return it and ask for a refund on a gift card. Why? You’ve guessed it! It’s so they can extract the money from the original card and store it on a gift card that isn’t traceable. They can then purchase items with the gift card or simply resell it on a classifieds site. 

4. Gift Card Number Generator or Leak

This is probably one of the most complex and technically challenging forms of attacks on our list. It involves fraudsters who manage to hack into the company’s network (or use social engineering attacks and phishing) to access the software that generates the shop’s gift card numbers and create some for their own use. In other scenarios, these hackers simply leak the gift card numbers, as seen with the Australian retailer Woolworths in 2015, when AUD 1.3 million/USD 1 million’s worth of gift cards was made available on the dark web.

5. Gift Card Purchases after Account Takeover

Account takeovers are the bane of online stores but fraudulent purchases can be stopped before an item is shipped. More seasoned criminals, however, will purchase gift cards instead, which can be delivered immediately (digitally) and don’t raise too many suspicions. 

6. Gift Card Phone Balance Check

This scam targets people selling gift cards. Let’s say you’ve received a gift card and put it up for sale. An interested buyer gets in touch but they say they need to know you’re being honest, so they ask to listen in on a call you make to the issuer to confirm the gift card balance. As you type in the number into the automated phone system that will confirm the balance, the buyer is recording the phone’s tones, from which they will extract the card code. By the time you realize what you’ve done, the scammer has the gift card’s card code and can use it to purchase items online.

7. Brute Force Bots

Gift card numbers are easier to crack than credit card numbers because they’re not tied to a specific address or identity. So it’s no surprise that fraudsters and cybercriminals have built software that will simply try all the possible combinations on online stores’ checkout forms. 

You’ll notice that many retailers now refuse to tell you on their website how much balance there is on your gift card. They prefer sending a message via SMS or email, almost like 2FA for gift cards. This is done specifically to avoid giving away the balance information to such bots.

8. Tracking Card Number Scam

In this scam, a fraudster goes to a brick-and-mortar store, takes a gift card out of the packaging and writes down the number. They then place it back on the shelf.

At some point, a legitimate buyer will purchase it and add money to it. Meanwhile, the fraudster regularly checks the balance on the card until it finally goes up. They quickly make a purchase before the legitimate buyer can.

Note that some gift card manufacturers have added scratchable PINs to prevent these kinds of attacks. But this doesn’t always work either; thieves simply scratch them off and repaint over the PIN label or use stickers to cover them up. 

9. Gift Card Activation Phishing

Gift cards generally need to be activated over the phone or online. Fraudsters recreate these sites or intercept these phone calls to capture the gift card’s details. This is particularly dangerous if you search for the gift card activation website online instead of typing the URL manually, as fraudsters can exploit search engines’ algorithms to place their fake websites at the top of the results. 

10. Triangulation Gift Card Scam

We’ve already covered triangulation fraud in our article on ecommerce fraud detection and prevention. The same principles apply to gift cards. In short, a fraudster sets up a seller account on a website such as eBay or Etsy, and accepts gift card payments. When you place an order, they purchase the same item from another store using a stolen credit card, and arrange for the order to be shipped to you. They pocket the gift card balance, or simply use it to make another payment elsewhere.

11. Gift Card Double Dipping

Double dipping is when someone uses the same gift card to make two purchases. This method works thanks to the popularity of online gift card reselling marketplaces. Here’s a quick breakdown:

1. A buyer offers cash to buy an unwanted gift card. 
2. Instead of waiting for the card to be sent by post, they accept the gift code online.
3. The fraudster sells this gift code on a marketplace, and quickly – almost at the same time – uses the card to purchase something.

They’ve essentially sold the card balance and used it at the same time, hence the term double dipping.

5 Gift Card Fraud Detection and Prevention Examples

While the majority of scenarios above can be prevented by common sense (especially those involving buying or selling gift cards), there are numerous steps online stores can take when considering how to prevent gift card fraud.

Track the Gift Card Data

While there are databases to track prepaid, gift and virtual cards, it’s probably wise to have an internal system for tracking the gift cards that are valid at your store. You could create a custom field in your fraud prevention engine, for instance, which looks specifically at data associated with the gift card numbers you’ve distributed.

Some fraud prevention tools also allow you to track custom fields to look for suspicious duplicates. You can use that to your advantage by generating a hash for every card and receiving alerts if they’re used twice.

Increase Internal Controls

Whether it’s to control account takeovers (ATO) or to keep better watch on employee logins, you need a strong system in place to monitor what happens on your platform.  

It’s also helpful to have a strong policy on refunds on gift cards – which should be decided by both the customer service team and the risk management team.

Monitor Gift Card Trading Sites

Check if gift card trading sites hold any that relate to your store. It can be a simple but effective part of your risk management strategy to anticipate fraud, especially if you’ve seen seasonal spikes.

Delay Card Activation

Fraudsters employ hit-and-run tactics, rushing to pay with gift cards before exiting your store and disappearing without a trace. You can choose to push new users to pay for transactions with a regular credit card before they can activate their gift card. 

Boost IT Security

Because gift cards are often distributed internally by online stores, it’s your job to control access to that valuable data. There is an overlap between IT security and cybersecurity that is best addressed, especially if you want to avoid social engineering attacks.

Preventing Gift Card Fraud

Gift cards have great benefits for the ecommerce industry, but offering them without a risk strategy could come back to haunt you. Because they’re pretty much untraceable, low-friction and transferable, they’re a fraudster’s favorite.

But gift cards are only the tip of the iceberg when it comes to reducing CNP (card not present) fraud. Make sure your business is prepared with tools that can work equally well to anticipate, block and investigate card fraud as well as other key attacks on online stores.

Useful Links

• SEON: 5 Types of Ecommerce Fraud: How to Prevent and Detect It in 2021
• SEON: Online Payment Fraud Prevention & Detection
• SEON: 5 Steps to Better Transaction Fraud Detection

Learn more about:

Data Enrichment | Browser Fingerprinting | Device Fingerprinting | Fraud Detection API

Sources:

• MagePlaza: Gift Card Statistics
• CNET: Woolworths Data Breach

Frequently Asked Questions about Gift Card Fraud