What is Gift-Card Fraud?
Gift cards have become a popular gifting option, as they save people from the hassle of choosing gifts and allow recipients to purchase items of their choice. The gift card market has seen a steady growth over the years due to the growth of e-commerce as well as greater adoption by corporations that present gift cards as recognition to their employees. As a result, gift cards continue to provide retailers with a profitable and brand-building revenue stream.
Poised for growth at an estimated CAGR of 15.4%, the global gift cards market size is expected to reach $1,922.87 billion by 2027, up from $619.25 billion in 2019. These growing numbers are attracting fraudsters, which is resulting in the rising instances of gift card fraud.
Gift card fraud refers to using gift cards over cash to commit fraudulent activity. Fraudsters exploit both gift cards and prepaid cards due to the ease with which they can be manipulated. With an increase in the number of people now choosing gift cards as holiday gifts, fraud is only increasing
Fraudsters use botnets to brute force attacks on gift card websites by testing thousands of card numbers and PIN combinations per minute. They also use bots, sweatshops or click farms to continually check the card balances and redeem them. They hack into a user account and abuse the auto-load feature to drain the account of the funds. Once fraudsters are successful in their account takeover attempts, they can redeem the credit card points by requesting for a gift card and escaping with the money undetected. This is because gift cards do not require the kind of authentication that a credit card or a bank account would.
5 Common Ways of Gift Card Fraud
There are many ways that fraudsters commit gift card fraud. Some of the common ways are as described below:
Physical gift card tampering:
Fraudsters copy the card numbers and their activation codes from the store racks. Once the pilfered card is bought and activated, the fraudster can use it.
Buying gift cards with stolen credit cards:
This is the simplest method of gift card fraud where fraudsters use stolen credit card details to buy gift cards online and exhaust their value or resell them before a chargeback request is made by the victim.
Gift Card Number Theft:
By hacking into a gift card company's database, fraudsters can steal the gift card numbers and their activation codes. Fraudsters often use brute force, malware, or phishing to access the database. They monitor the gift card account's activity at the retailer's online portal and as soon as the cards are paid for and activated at the checkout register, they steal the money.
Social Engineering:
Fraudsters may pose as a representative from a business or government agency and trick the victims into paying for something by loading money on a gift card and then asking to share the numbers on the back of the card.
Gift Card Refund:
Fraudsters make fraudulent purchases using stolen credit card details and then return the product requesting the refund to a gift card. While the merchant loses twice - the transaction amount and the chargebacks - the fraudster decamps with the gift card that can be monetized fairly easily.
Why Gift Card Fraud is Appealing to Fraudsters
Gift cards are popular with scammers because it is not only ridiculously easy to monetize them, but also there are slim chances of getting detected or prosecuted. When compared with credit cards or bank accounts, the protections for gift cards are far lower and there are no authentication barriers. In fact, gift cards are more like cash - once used, the money on them is gone.
Although the dollar amounts associated with a gift card is low, when orchestrated at scale, the profits can run into millions. As a result, with more and more consumers opting for gift cards, fraudsters have followed suit.
How Fraudsters Monetize Gift Card Fraud
To monetize gift cards, fraudsters do not need to think a lot as it is fairly easy. The simplest way is to resell them on third party websites. Some fraudsters also sell them on the dark web. Then there are websites that offer conversion facilities - gift card to cash - at a fee of about 30-40% of the card value. Similarly, there are physical kiosks where fraudsters can convert gift cards into cash.
To make more money, some fraudsters may use roundabout ways. For instance, the Arkose Labs Q4 2020 Report found that there was a rise in abuse in this area due to prepaid cards being used as a vehicle for government stimulus money for those who did not have bank accounts on file with the IRS.
Fraudsters also post fake ads of fictitious items on ecommerce websites and offer heavy discounts on these expensive but non-existent items. Using social engineering, they trick users into sharing gift card numbers instead of using credit cards for payments. On receiving the money, the fraudster and the ads simply vanish. In recent times, the menace of requesting gift cards as a payment instrument has risen so much that the FBI issued a warning to customers against using gift cards to make payments for goods or services.
Fraudsters use account takeover attacks to access users' credit cards or loyalty reward points and redeem these points for gift cards, which can easily be exchanged for cash. Unlike credit cards and bank accounts, consumers are not too active when it comes to monitoring their reward points. This provides fraudsters with a freeway to the unused point sitting ripe for abuse.
Fraudsters are also increasingly using gift cards as a means for money laundering and moving illegal funds. This is because of the ease and anonymity that gift cards offer.
Why gift card fraud is easy to get away with
Detecting and stopping gift card fraud is uniquely challenging because it is as easy as stealing cash! It does not require any authentication, which leaves no clue on how the money was stolen or where it was transferred to. Furthermore, the low dollar amounts associated with these cards do not garner the kind of consumer attention the way a credit card theft would. This bolsters the fraudsters who scale up their attacks using bots and automation which cumulatively results in much bigger heists.
With digital becoming the norm, fraudsters are not only able to obtain but also monetize gift cards rather speedily. Digital gift cards have come as a boon for fraudsters as there is no delivery address needed, which eliminates the chances of their location being revealed. Poor security systems and subpar anti-fraud mechanisms are further making it easier for fraudsters to defraud unsuspecting consumers and making digital gift card sales a hotbed for gift card fraud.
Fraudsters also post fake ads of fictitious items on ecommerce websites and offer heavy discounts on these expensive but non-existent items. Using social engineering, they trick users into sharing gift card numbers instead of using credit cards for payments. On receiving the money, the fraudster and the ads simply vanish. In recent times, the menace of requesting gift cards as a payment instrument has risen so much that the FBI issued a warning to customers against using gift cards to make payments for goods or services.
Fraudsters use account takeover attacks to access users' credit cards or loyalty reward points and redeem these points for gift cards, which can easily be exchanged for cash. Unlike credit cards and bank accounts, consumers are not too active when it comes to monitoring their reward points. This provides fraudsters with a freeway to the unused point sitting ripe for abuse.
Fraudsters are also increasingly using gift cards as a means for money laundering and moving illegal funds. This is because of the ease and anonymity that gift cards offer.
The Arkose Labs Approach
Gift cards provide retailers with a promising business stream that enables them to increase revenue and retain customers. However, fungible and difficult to track, gift cards provide fraudsters with quick money and generally easy getaways. They use botnets to brute force attacks on gift card websites. They also use bots and sweatshops to continually check the card balances and redeem them.
Gift card fraud can disrupt shopping experience for consumers and cause damage to the brand reputation of a retailer. As a result, it is critical that retailers ensure security of the gift cards on sale - both in the physical and the digital realms. That said, detecting and stopping gift card fraud is challenging, simply because there are no authentications or trails left behind. Retailers must, therefore, adopt a fraud-prevention approach that eliminates fraud from its roots, without unnecessarily disrupting the user experience for genuine consumers.
Arkose Labs' bilateral approach to fighting gift card fraud targets automated bots and phony fraudsters with adaptive, graduated friction to force them into abandoning the attack, while making authentication fun for genuine consumers.
Arkose Labs helps retailers accurately identify fraudsters from authentic users by analyzing hundreds of digital parameters. Instead of blocking any user-who may potentially be a revenue-generating customer-the digital intelligence screens all users and affords them an opportunity to prove their authenticity by clearing enforcement challenges. Authentic users may not even see the challenges and continue unhindered; and those that do, can clear these user-friendly challenges in a fun way.
Bots and automated scripts, however, fail instantly, as the challenges are trained against even the most advanced machine vision technology. Malicious humans are repeatedly presented with incrementally complex challenges that are designed to waste the time, effort, and resources. This depletes the returns against the investments in the attack and forces the attackers to call it quits, providing long-term protection to the retailers.