What is gift card fraud?
Gift cards have become a popular gifting option, as they save people from the hassle of choosing gifts and allow recipients to purchase items of their choice. The gift card market has seen a steady growth over the years due to the growth of e-commerce as well as greater adoption by corporations that present gift cards as recognition to their employees. Gift cards provide retailers with a promising business stream that enables them to increase revenue and retain customers.
But there’s a dark side to this phenomenon. Because they are fungible and difficult to track, gift cards provide thieves with quick money and generally easy getaways. In addition, the global market is poised for growth at an estimated CAGR of 6.9% over the next four years, expected to reach over $668 billion by 20271. This has made it a lucrative target for cyberattack, resulting in the rising instances of gift card fraud.
Gift card fraud refers to using gift cards to commit dishonest activity. Bad actors exploit both gift cards and prepaid cards because they can be easily manipulated. It can happen offline – for instance, when scammers steal gift card numbers from stores – but increasingly it is becoming a digital business. Cybercriminals use botnets to perform brute force attacks on gift card websites by testing thousands of card numbers and PIN combinations per minute. They also use bots, sweatshops, or click farms to continually check the card balances and redeem them. They hack into a user account and abuse the auto-load feature to drain the account of the funds.
Once these attackers are successful in their account takeover attempts, they can redeem the credit card points by requesting for a gift card and escaping with the money undetected. This is because gift cards do not require the kind of authentication that a credit card or a bank account would.
5 common ways to commit gift card fraud
There are many ways that criminals commit gift card fraud. Some of the common ways are as described below:
Physical gift card tampering
Thieves copy card numbers and their activation codes from the store racks. Once the pilfered card is bought and activated, the fraudster can use it.
Buying gift cards with stolen credit cards
This is the simplest method of gift card fraud, where cybercriminals use stolen credit card details to buy gift cards online. They then exhaust their value or resell them before a chargeback request is made by the victim.
Gift card number theft
By hacking into a gift card company's database, cyberattackers can steal the gift card numbers and their activation codes. These black-hat hackers often use brute force, malware, or phishing to access the database. They monitor the gift card account's activity at the retailer's online portal, and as soon as the cards are paid for and activated at the checkout register, they steal the money.
Social engineering and phishing
Criminals may pose as a representative from a business or government agency and trick the victims into paying for something by loading money on a gift card and then asking to share the numbers on the back.
Phony refunds
Criminals make fraudulent purchases using stolen credit card numbers and then return the product requesting the refund to a gift card. While the merchant loses twice – the transaction amount and the chargebacks – the thief decamps with the gift card that can be monetized fairly easily.
Blackhawk Network Foils Gift Card Fraud with Arkose Labs
Why gift card fraud schemes appeal to scammers
Gift cards are popular with scammers because it is not only ridiculously easy to monetize them, but the chances of getting detected or prosecuted are slim. When compared with credit cards or bank accounts, the protections for gift cards are far lower and there are no authentication barriers. In fact, gift cards are more like cash – once used, the money on them is gone.
Although the dollar amounts associated with individual gift cards are low, the profits can run into millions when orchestrated at scale. As a result, with more and more consumers opting for gift cards, a rise in gift card scam has followed suit.
How gift card fraud is monetized
The simplest way to illegally monetize gift cards is to resell them on third-party websites. But there are plenty of other ways criminals make money from gift card fraud. Some malicious actors sell them on the dark web. Then there are websites that offer conversion facilities - gift card to cash - at a fee of about 30-40% of the card value. Similarly, there are physical kiosks where users can convert gift cards into cash.
Cybercriminals also post fake ads of fictitious items on ecommerce websites and offer heavy discounts on these expensive but non-existent items. Using social engineering, they trick users into sharing gift card numbers instead of using credit cards for payments. On receiving the money, the thief and the ads simply vanish. This is so prevalent that the FBI issued a warning to customers against using gift cards to make payments for goods or services.
Cyberattackers use account takeover attacks to access users' credit cards or loyalty reward points and redeem these points for gift cards, which can easily be exchanged for cash. Unlike credit cards and bank accounts, consumers are not too active when it comes to monitoring their reward points. This provides attackers with a freeway to the unused points sitting ripe for abuse.
Attackers are also increasingly using gift cards as a means for money laundering and moving illegal funds because of the ease and anonymity that gift cards offer.
Why gift card fraud is easy to get away with
Detecting and stopping gift card fraud is uniquely challenging because it is as easy as stealing cash. It does not require any authentication, which leaves no clue on how the money was stolen or where it was transferred to. Furthermore, the low dollar amounts associated with these cards do not garner the kind of consumer attention the way credit card theft would. This bolsters the cyberattackers, who scale up their attacks using bots and automation – which cumulatively results in much bigger heists.
With digital becoming the norm, cybercriminals are not only able to obtain but also monetize gift cards rather speedily. Digital gift cards have come as a boon for these thieves, as there is no delivery address needed, which eliminates the chances of their location being revealed. Poor security systems and subpar anti-fraud mechanisms are further making it easier for attackers to defraud unsuspecting consumers and making digital gift card sales a hotbed for gift card fraud.
The Arkose Labs approach to gift card fraud prevention
Gift card fraud can disrupt shopping experience for consumers and cause damage to the brand reputation of a retailer. As a result, it is critical that retailers ensure security of the gift cards on sale, both in the physical and the digital realms.
That said, detecting and stopping gift card fraud is challenging, simply because there are no authentications or trails left behind. Retailers must therefore adopt an approach to eliminate gift card fraud from its roots, without unnecessarily disrupting the user experience for genuine consumers.
Arkose Labs' bilateral approach to fighting gift card fraud targets automated bots and phony users with adaptive, graduated friction to force them into abandoning the attack, while making authentication fun for legitimate customers.
The Arkose Bot Manager is a powerful solution designed to help retailers accurately identify bots and cyberattackers from authentic users by analyzing hundreds of digital parameters. Instead of blocking any user, who may potentially be a revenue-generating customer, the digital intelligence screens all users and affords them an opportunity to prove their authenticity by clearing enforcement challenges. Authentic users may not even see the challenges, but those who do can clear these user-friendly challenges in a fun way.
Bots and automated scripts, however, fail instantly, because the challenges are trained against even the most advanced machine vision technology. Malicious humans are repeatedly presented with incrementally complex challenges that are designed to waste time, effort, and resources. This depletes the returns against the investments in the attack and forces the attackers to call it quits, providing long-term protection to the retailers.
To learn more about the best way for your business to prevent gift card fraud, contact us to chat with an expert today!
