There is no doubt that gift cards are extremely popular among consumers, especially around the holidays. Why struggle with trying to find someone the perfect gift? A gift card is easy, versatile, and popular with consumers.
Unfortunately, they are also popular with fraudsters.
In the U.S., gift cards represented a $160 billion market in 2018. And in 2019, gift cards remain the most popular item on wish lists, requested by 59% of those surveyed, according to the annual winter holiday survey from the National Retail Federation.
Because gift cards are widely accepted, equivalent to cash, and mostly anonymous, the industry is the target of many criminal schemes. Gift card fraud can range from physical theft to cloning to exploiting programming errors on the merchant side.
The most common form of gift card fraud involves thieves tampering with cards inside the retailer’s store before the cards are purchased by legitimate customers.
Gift cards work essentially the same as credit or debit cards with a magnetic stripe – the gift card number is printed on the card for manual key entry and is also encoded on a magnetic stripe on the back of the card. The criminals can write down or use a handheld card reader to get the card numbers in the store. From there, the thieves wait. Armed with the card’s serial number and PIN, thieves can simply monitor the gift card account at the retailer’s online portal until the cards are paid for and activated. When they are, the thieves encode that card’s data onto any card with a magnetic stripe (cloning) and use that counterfeit card to purchase merchandise at the retailer or convert the card into cash by using a third-party redeemer to drain the funds out of the account.
To avoid this scam, always check the back of the gift card before purchasing. There is a scratch-off area on the back where the pin number is located. Make sure the scratch-off area on the back of the card is still concealing the pin number before you purchase the card.
Sham second-hand cards
The continuing proliferation of gift cards means that many gift cards go unused. These unused cards are often sold online, often at a fraction of their face value.
In most cases, the sale of unwanted cards is a legitimate option. Better to sell a gift card, particularly one of a store or website that the owner does not want to do business with, than let it languish. However, many gift cards being resold online are the product of merchandise return fraud.
Return fraud happens when thieves steal merchandise from one store and return those items to another location of the same retailer without a receipt. Typically, stores will refund the value of the goods returned on a merchandise card if there is no receipt. The thieves then sell the returned merchandise card online. This makes the consumer who purchases the card an unwitting accessory to the crime.
To avoid this scam, look for the gift card to be identified as “merchandise return card.”
An emerging gift card scam is the Business E-mail Compromise (BEC) attack. This is when a cyber-criminal hacks into a corporate e-mail account and impersonates the organization’s owner or senior leader to trick the company or employees into sending digital gift cards to the fraudster’s account. Simply put, employees get an email obstensively from senior executive like a CEO, CFO or COO that asks the employee to send a digital gift card to an account, usually it’s a rush request. Faced with a direct order from a senior official, junior employees tend to move quickly.
This is an insidious scheme that can make any employee a target as scammers impersonate a wide variety of identities on the corporate ladder to enlist innocent employees as accessories.
The average amount requested in these attacks tends to be around $1,500. One report recently released by Agari Security shows that gift cards are connected to roughly two-thirds of all BEC attacks. Given that BEC has resulted in $26 billion in losses since 2016, these attacks have resulted in several billion dollars stolen each year.
While successful, and getting more successful every year, gift card BEC attacks are typically simple phishing campaigns. In theory, they can easily be countered with appropriate education and appropriate protocols, such as asking employees to personally confirm requests that call for cash delivery.
Digital gift cards and gift cards with online accounts can be vulnerable to hacking. The sequential numbering systems used for gift cards can make it relatively easy for a hacker to guess at available numbering. Alternatively, a fraudster may purchase stolen account numbers from one of the Dark Web’s black market sites. A cyber-criminal can use an automated software to conduct a “brute-force” attack on the online account portal’s login and eventually gain entry. Once inside, the thief can drain the funds into another hacked account. For gift cards that use an auto-load feature, the cyber-criminal can quickly rack up charges over and over.
Gift card purchasers are not the only consumers vulnerable to account hackers. All e-commerce accounts can be hacked using the same method. Moreover, cyber crooks very often recycle stolen credentials by trying the username/email address and password pairs at dozens of other retailers online, knowing that a good percentage of consumers will reuse the same credentials at multiple sites, which is never a good idea.
For consumers who use the username and password at multiple sites, it’s time to change those passwords. And, since gift card numbering systems are less secure than credit cards, make sure you never reuse a password when opening a online gift card portal.
After EMV chip cards rolled out in the U.S. in 2015, fraudsters were quick to find and exploit a new vulnerability in these highly secure cards. It’s called fallback fraud.
Fallback fraud is a low-tech workaround that bypasses protections against counterfeit card use. To perpetrate this type of fraud, criminals tamper with the card’s chip or the card reader itself, causing technical issues and rendering enhanced security features obsolete. The method of attack can be as simple as placing clear film over the chip, inserting the card upside down, or creating counterfeit cards with blank or intentionally damaged hardware.
Since gift cards are rarely EMV chip-enabled, they are especially vulnerable to fallback fraud. Here again, fraudsters are gaining stolen card data from the Dark Web. They then embed it onto the magnetic strips of new plastic cards. Those cards can then be used to make purchases because the current payment system in the U.S. allows for swiping as a fallback mechanism if no chip is present or if the chip is malfunctioning.
To prevent gift card fraud, it is important for consumers to be vigilant and for retailers to have good policies and procedures to keep gift cards secure. A few best practices for retailers include requiring a PIN for the use of a gift card and limiting online balance look-ups.
For consumers, the best advice is to only buy gift cards from reputable merchants. Always look at the physical card and look for signs of tampering, such as a scratched off and/or replaced PIN number. Most importantly, whether you are buying a card for yourself or plan to gift it – keep the receipt. If the gift card is later found to be drained of funds, the loss may be restored by returning to the merchant that sold the card or the store where the gift card is redeemable.