Gift Card Fraud
Gift cards have become an incredibly convenient way to pay for everything from gas to groceries to your next vacation. Not only are gift cards great to give as gifts, but many people purchase them as a way to maximize other types of perks and benefits or even budget for large purchases. For instance, many grocery stores sell gift cards and also have loyalty programs. People can use their loyalty cards to purchase gift cards and then use the gift cards to buy groceries and earn additional rewards points. This earns them double the points for the same price.
That being said, like almost anything of monetary value, gift cards can also be used or obtained fraudulently. Gift cards are in fact a type of currency, but unlike many other forms of currency, they are difficult to obtain or use fraudulently en mass. For this reason, gift card fraud is often not prosecuted because of the relatively small dollar amounts they carry. There are a few forms of gift card fraud that involve high dollar amounts, but they are rarer. Even though some gift card fraud involves a physical gift card rather than a digital one, almost all gift card fraud is still considered cyberfraud because the balances are considered digital currency, not hard currency.
Types of Gift Card Fraud
Gift cards can either be physical or digital. In the case of digital cards, the card and PIN are generated digitally and from there can either be loaded onto a physical card or simply entered into different websites like a credit card to complete a purchase.
The key to gift card fraud is to find a way to load a balance onto a gift card the hacker owns so it can be sold or spent. There are a few ways hackers can do this on the customer side.
- Loyalty Cards: Some gift cards double as customer loyalty cards, such as Starbucks cards. Many people have cards such as these set to automatically top up once they reach a certain low balance. If a hacker can get into an individual's account, then they can drain the balance onto their own card, at which point the customer's card will automatically top up and the fraudster can just keep transferring the balance to their own card.
- Rewards Points: Rewards credit cards will often include gift card options. When a gift card option is chosen, the card is generally generated and available immediately. If a hacker can access a rewards account, they can redeem points for a gift card and then immediately sell it to an online gift card vendor such as Cardcash or Cardpool. In many cases, they can get up to 60% or more of the value of the card. Since many people save up their points for large rewards like airline tickets or accommodations, they can sometimes have several thousands of dollars of rewards points built up that can all vanish in an instant.
- Balance drains: Another way to commit gift card fraud is to simply buy a card, write down the number and then sell the card. Once a buyer has paid for the card, the fraudster can then simply go online and transfer the balance to a new card, which they can then either spend or sell again. They could theoretically keep selling the same balance over and over again.
Stealing Gift Card Numbers or Cloning Gift Cards
Since gift cards have no balance until they are purchased at a register, most stores have stacks of cards sitting out on display. This leaves them open and available to simply pick up an entire stack and walk away with them. Some cards will have both a magnetic stripe and PIN code. For those that do not, fraudsters can simply swipe the card into a card reader and store the card number. When cards use both a magnetic stripe and PIN code, they are often covered by a silver sticker that reveals the PIN when scratched. These stickers can be purchased inexpensively on eBay. Thieves can scratch the sticker, reveal the code and replace the sticker with the new one. Once they have recorded all of the numbers, they simply return the cards back to the store display and wait for someone to purchase them. If they have a card reader, they may not even leave the store at all.
Most gift card issuers have a website or telephone number that can be accessed to check balances. Once thieves are in possession of card number and PIN, they can just keep checking the website until a balance registers on the card. Once a balance is registered, they can simply transfer the balance onto their own card and either sell it or spend it.
Bulk Gift Card Fraud
Bulk acquisitions are much more difficult, but also, therefore, more rewarding. Because it is difficult to acquire gift card numbers in bulk, that also makes this the rarest type of gift card fraud. Bulk acquisitions are one of the only types of fraud that occur on the issuer side and not the borrower side. Gift card numbers and PINs can be acquired via phishing, SQL injection, social engineering, and accidental disclosure. For instance, a Woolworth's employee accidentally emailed a spreadsheet containing 8,000 active gift card numbers to more than 1,000 people. The gift cards contained balances in excess of AUS $1.3 million. Anyone who received the spreadsheet could immediately convert the numbers into cash or just start shopping.
Overall, gift card fraud is generally more of an annoyance than a significant issue. While they do obviously cause the most financial damage, bulk acquisitions are rare. While there are certain stores or merchants that might be more likely to encourage larger balances on gift cards, in general, the majority of gift card fraud occurs on balances of $100 or less.
iovation is a leading provider of online fraud prevention solutions to help stop ecommerce fraud, online banking fraud, insurance fraud, account takeover, and other common types of internet fraud.
Ready for the next step?
Spot user behaviors and device information that’s suspicious, and stop those fraudsters in real time. We track billions of devices and our fraud analysts add evidence to make this intelligence even more effective.