Home » Gift Card Fraud: What It Is And How To Stop it

Gift Card Fraud: What It Is And How To Stop it

What is gift card fraud?

Gift cards have become a popular gifting option, as they save people from the hassle of choosing gifts and allow recipients to purchase items of their choice. The gift card market has seen a steady growth over the years due to the growth of e-commerce as well as greater adoption by corporations that present gift cards as recognition to their employees. Gift cards provide retailers with a promising business stream that enables them to increase revenue and retain customers.

But there’s a dark side to this phenomenon. Because they are fungible and difficult to track, gift cards provide thieves with quick money and generally easy getaways. In addition, the global market is poised for growth at an estimated CAGR of 6.9% over the next four years, expected to reach over $668 billion by 20271. This has made it a lucrative target for cyberattack, resulting in the rising instances of gift card fraud.

Gift card fraud refers to using gift cards to commit dishonest activity. Bad actors exploit both gift cards and prepaid cards because they can be easily manipulated. It can happen offline – for instance, when scammers steal gift card numbers from stores – but increasingly it is becoming a digital business. Cybercriminals use botnets to perform brute force attacks on gift card websites by testing thousands of card numbers and PIN combinations per minute. They also use bots, sweatshops, or click farms to continually check the card balances and redeem them. They hack into a user account and abuse the auto-load feature to drain the account of the funds.

Once these attackers are successful in their account takeover attempts, they can redeem the credit card points by requesting for a gift card and escaping with the money undetected. This is because gift cards do not require the kind of authentication that a credit card or a bank account would.

Payment Firm Foils Gift card Fraud With Arkose Labs
Payment Firm Foils Gift card Fraud With Arkose Labs

5 common ways to commit gift card fraud

There are many ways that criminals commit gift card fraud. Some of the common ways are as described below:

Physical gift card tampering

Thieves copy card numbers and their activation codes from the store racks. Once the pilfered card is bought and activated, the fraudster can use it.

Buying gift cards with stolen credit cards

This is the simplest method of gift card fraud, where cybercriminals use stolen credit card details to buy gift cards online. They then exhaust their value or resell them before a chargeback request is made by the victim.

Gift card number theft

By hacking into a gift card company's database, cyberattackers can steal the gift card numbers and their activation codes. These black-hat hackers often use brute force, malware, or phishing to access the database. They monitor the gift card account's activity at the retailer's online portal, and as soon as the cards are paid for and activated at the checkout register, they steal the money.

Social engineering and phishing

Criminals may pose as a representative from a business or government agency and trick the victims into paying for something by loading money on a gift card and then asking to share the numbers on the back.

Phony refunds

Criminals make fraudulent purchases using stolen credit card numbers and then return the product requesting the refund to a gift card. While the merchant loses twice – the transaction amount and the chargebacks – the thief decamps with the gift card that can be monetized fairly easily.

Blackhawk Network Foils Gift Card Fraud with Arkose Labs
Blackhawk Network uses Arkose Labs to protect against fraudulent gift card purchases and other types of fraud

Why gift card fraud schemes appeal to scammers

Gift cards are popular with scammers because it is not only ridiculously easy to monetize them, but the chances of getting detected or prosecuted are slim. When compared with credit cards or bank accounts, the protections for gift cards are far lower and there are no authentication barriers. In fact, gift cards are more like cash – once used, the money on them is gone.

Although the dollar amounts associated with individual gift cards are low, the profits can run into millions when orchestrated at scale. As a result, with more and more consumers opting for gift cards, a rise in gift card scam has followed suit.

How gift card fraud is monetized

The simplest way to illegally monetize gift cards is to resell them on third-party websites. But there are plenty of other ways criminals make money from gift card fraud. Some malicious actors sell them on the dark web. Then there are websites that offer conversion facilities - gift card to cash - at a fee of about 30-40% of the card value. Similarly, there are physical kiosks where users can convert gift cards into cash.

Cybercriminals also post fake ads of fictitious items on ecommerce websites and offer heavy discounts on these expensive but non-existent items. Using social engineering, they trick users into sharing gift card numbers instead of using credit cards for payments. On receiving the money, the thief and the ads simply vanish. This is so prevalent that the FBI issued a warning to customers against using gift cards to make payments for goods or services.

Cyberattackers use account takeover attacks to access users' credit cards or loyalty reward points and redeem these points for gift cards, which can easily be exchanged for cash. Unlike credit cards and bank accounts, consumers are not too active when it comes to monitoring their reward points. This provides attackers with a freeway to the unused points sitting ripe for abuse.
Attackers are also increasingly using gift cards as a means for money laundering and moving illegal funds because of the ease and anonymity that gift cards offer.

Why gift card fraud is easy to get away with

Detecting and stopping gift card fraud is uniquely challenging because it is as easy as stealing cash. It does not require any authentication, which leaves no clue on how the money was stolen or where it was transferred to. Furthermore, the low dollar amounts associated with these cards do not garner the kind of consumer attention the way credit card theft would. This bolsters the cyberattackers, who scale up their attacks using bots and automation – which cumulatively results in much bigger heists.

With digital becoming the norm, cybercriminals are not only able to obtain but also monetize gift cards rather speedily. Digital gift cards have come as a boon for these thieves, as there is no delivery address needed, which eliminates the chances of their location being revealed. Poor security systems and subpar anti-fraud mechanisms are further making it easier for attackers to defraud unsuspecting consumers and making digital gift card sales a hotbed for gift card fraud.

The Arkose Labs approach to gift card fraud prevention

Gift card fraud can disrupt shopping experience for consumers and cause damage to the brand reputation of a retailer. As a result, it is critical that retailers ensure security of the gift cards on sale, both in the physical and the digital realms.

That said, detecting and stopping gift card fraud is challenging, simply because there are no authentications or trails left behind. Retailers must therefore adopt an approach to eliminate gift card fraud from its roots, without unnecessarily disrupting the user experience for genuine consumers.

Arkose Labs' bilateral approach to fighting gift card fraud targets automated bots and phony users with adaptive, graduated friction to force them into abandoning the attack, while making authentication fun for legitimate customers.

The Arkose Bot Manager is a powerful solution designed to help retailers accurately identify bots and cyberattackers from authentic users by analyzing hundreds of digital parameters. Instead of blocking any user, who may potentially be a revenue-generating customer, the digital intelligence screens all users and affords them an opportunity to prove their authenticity by clearing enforcement challenges. Authentic users may not even see the challenges, but those who do can clear these user-friendly challenges in a fun way.

Bots and automated scripts, however, fail instantly, because the challenges are trained against even the most advanced machine vision technology. Malicious humans are repeatedly presented with incrementally complex challenges that are designed to waste time, effort, and resources. This depletes the returns against the investments in the attack and forces the attackers to call it quits, providing long-term protection to the retailers.

To learn more about the best way for your business to prevent gift card fraud, contact us to chat with an expert today!


Gift card fraud refers to using gift cards over cash to commit fraudulent activity. Criminals exploit both gift cards and prepaid cards due to the ease with which they can be manipulated. In some cases, they steal the numbers and security codes off the gift cards in stores and wait for their activation. With digital becoming the norm, bad actors access gift card numbers online in bulk using SQL injection and social engineering. They also use botnets and exploit the websites that provide consumers with the information about their gift card balance to check for and drain the loaded cards. Using social engineering, they trick unassuming people into paying for fictitious items using gift cards.

Gift card fraud can happen through stolen credit card details used to buy and resell gift cards. Hackers obtain gift card numbers, while phishing emails or social engineering scams deceive legitimate cardholders into sharing gift card information or purchasing fake ones.

The simplest way to monetize gift cards is to resell them on third party websites. Some cybercriminals also sell them on the dark web. Thieves convert gift cards into cash through websites that offer conversion facilities – gift card to cash – at a fee of about 30-40% of the card value. Similarly, there are physical kiosks where users can convert gift cards into cash.

In addition to incurring costs in gift card fraud mitigation, retailers also suffer damage to brand reputation. Therefore, instead of mitigation, retailers must focus on deterring cybercrime and eliminate the economic incentives that cause criminals to attack.

By bankrupting the business of bots, Arkose Labs renders the attacks financially unattractive. This is achieved through adaptive, step-up enforcement challenges that cause bots and automated scripts to fail; and sap the time, effort, and resources of human attackers. Once the returns are eroded, attackers give up and move on, providing retailers with long-term protection.