Gift Cards: The Fastest Gift this Season May Lead to Even Faster Fraud by Kevin Lee, Digital Trust and Safety Architect at Sift
Gift Cards: The Fastest Gift this Season May Lead to Even Faster Fraud by Kevin Lee, Digital Trust and Safety Architect at Sift

Gift Cards: The Fastest Gift this Season May Lead to Even Faster Fraud

As the holidays quickly approach, consumers are looking for fast and easy gifts with many turning to the convenience of gift cards. Also, for those last minute shopper who missed the ‘free shipping’ window, gift cards can be the most appealing option if they are looking to deliver a present before Christmas. According to the National Retail Federation, 54% of consumers will purchase gift cards this holiday season, estimating total consumer spend on this product category alone to reach $27.5 billion this year.

With gift cards becoming a staple for holiday gift-giving, retailers have expanded their offerings to digital gift cards to meet the convenience-seeking demand of today’s modern consumer. However, with convenience comes the added vulnerability of taking what was once a physical/tangible card into the world of digital transactions. Now more than ever, cybercriminals and bad actors have found particularly devious ways of defrauding both the buyers and sellers, placing an increased demand on businesses to not only enlist effective prevention tactics, but adapt a holistic understanding of the means and ends of how fraudsters target this specific commodity.

What makes digital gift cards such attractive targets for fraudsters?

It only takes a few seconds to buy a gift card online. Because the buyer wants the instant gratification of knowing the gift card is in their inbox right away, there’s no time for fraud teams to manually review and approve the purchase, unlike traditional physical items. With the click of a button the e-card is delivered to a consumer’s phone or email with a code for usage. This speed of delivery outpaces some legacy approaches to fraud prevention, leaving a margin of error prime for cybercriminals to capitalize on.

In addition to the fast speed and accessibility, e-gift card orders are filled completely online, removing the need for shipping to a physical address which reduces the risk of a fraudster’s location being revealed. This extra layer of protection and anonymity lets cybercriminals target any person from any location at any time.

A new twist that’s catching on with fraudsters is the act of purchasing smaller products to be shipped to the physical address of a victim, while attaching a high dollar e-gift card to the order, for the fraudster to pocket, in an effort to help the overall purchase look more legitimate.

These types of tactics help scammers fly under the radar screens of many traditional rules-based fraud prevention systems, which wouldn’t necessarily pick up on any fraudulent purchases tied to seemingly legitimate ones.

What are some common ways fraudsters exploit gift cards?

From targeting consumers on social media to sending phishing emails to employees posing as their bosses, cybercriminals have a laundry list of ways to steal. While some tactics are more obvious than others, all should be recognized and considered when putting a fraud prevention policy in place.

Profiting from credit card theft: A common gift card scheme is executed across peer-to-peer marketplaces where fraudsters will list a “hot-ticket item” (i.e. high-priced electronics) for significantly less than the retail cost. Lured by the idea of a deal, eager holiday buyers unknowingly deliver their personal credit card information straight to the fraudster.

At this point, the fraudster uses the stolen information to purchase gift cards for their personal use and/or to aid in their efforts with another scheme. The speed of the exchange makes it difficult for the money to be traced so once the cybercriminal finishes the transaction, the victim has no way of ever retrieving their money.

Stealing gift cards from resellers: A phony buyer asks a gift card reseller to perform a three-way phone call with the merchant (a retailer, for example) to check the gift card balance. While listening to the seller enter the gift card number, the “buyer” records the sound of the touch-tone patterns to steal the gift card number and use it without ever actually purchasing it.

The seller emails the “buyer” the codes on the back of the card so they can confirm the value of the card, and the “buyer” pays the seller using PayPal or a peer-to-peer payments app. However, once the “buyer” has the complete gift card information, they will oftentimes cancel the payment on the payments app and thus, the seller never receives the value of the now stolen gift card.

Using free gift cards as a trap: Cybercriminals prey on consumers by creating fake-free gift card sites. Gift cards are often used as an incentive for consumer surveys, but cybercriminals have caught on and are starting to create phony sites to harvest consumer data. The personal information collected from consumer survey participants is then used by the victim to buy gift cards, which are then used or sold for money at the survey taker’s expense.

The phony site will be advertised on social media as a quick way to earn money. The victim will then click on the link, fill out their personal information and give criminals access to their personal data. That information is then used for fraudsters to take over all the victim’s accounts and purchase thousands of e-gift cards in a matter of seconds.

Redeeming stolen rewards points: If a cybercriminal gains the credentials to a victim’s credit card or loyalty rewards program, they can redeem points for gift cards and then exchange the card for cash using online exchange services. As more brands and credit cards offer these programs, more consumers are opting in and sitting on large points balances that are vulnerable to theft.

How can retailers satisfy consumer demand for digital gift cards while staving off fraud?

The likelihood of fraud puts online retailers in a difficult situation – if retailers offer digital gift cards, they risk increasing fraud rates. If they don’t offer them, they risk disappointing customers who expect them as a gift-giving option. Merchants must balance digitizing gift cards to keep up with customer expectations while investing in fraud prevention methods to protect their bottom lines.

A common method for merchants is to set up certain rules for gift card purchases across e-commerce systems to reduce fraudulent transactions – for example, disabling the purchase of bulk order gift cards. While a rules-based approach can be helpful for reducing some fraudulent transactions, it can also mistakenly prohibit legitimate buyers from making purchases on a site. These false positives are doubly painful for merchants as they miss the immediate revenue of a legitimate buyer while almost certainly losing a potential repeat customer. The merchant can also apply some velocity rules tied to device, IP, price, cookies and more.

Additionally, rather than taking a purely based rules-based approach, merchants should think about how to introduce machine learning technologies to support legitimate purchases while clamping down on fraud. Investing in modern technology to detect fraudulent activity can help businesses focus on the behavior of a transaction rather than just the credit card or device being used to carry out the transaction. For example, machine learning technologies can recognize behavioral patterns like IPs visiting the site and ordering 100 gift cards within seconds of accessing a page – a behavior that’s less likely for a legitimate user to execute.

#Cybercriminals and bad actors have found particularly devious ways of defrauding both the buyers and sellers of digital gift cards. #fraud #respectdataClick to Tweet

While holiday shoppers will be buying gift cards en masse for the remainder of 2019, merchants have an opportunity to set themselves up for a successful start to the decade by implementing new technologies, strategies and resources to create a trusted and safe environment for their customers – and a brick wall for fraudsters.


Digital Trust and Safety Architect at Sift