Holiday Gift Card Fraud: Better Watch Out, Your Loved Ones Might Cry

January 23, 2018

Who doesn’t love giving or getting gift cards? They’re easy to buy (especially for those picky relatives and friends), they’re easy to use, and you can spend them on exactly what you want, as well as when and where you choose. 

Trouble is, gift cards are oh so easy to hack.

Six in 10 shoppers had gift cards on their holiday list, according to Consumer Reports, which issued a pre-Christmas scam warning in mid-December.

The actual numbers haven’t been tabulated yet, but a recent survey estimated that retailers would sell more than $27 billion gift cards this past holiday season. That’s about 20% of the annual total of $130 billion in gift card sales. 

In the most basic scam, fraudsters pluck gift cards off those colorful racks you see in stores. They jot down the imprinted card number from the front of the card and then scratch off the gummy strip on the back to reveal the security code. Then they apply new replacement strips—readily available online—so no one can tell the card has been tampered with. They hang the compromised card back on the rack and wait for an unsuspecting shopper to buy the card.

Once the card is activated and loaded with a cash balance, tech savvy hackers use illicit software that periodically checks card balances online to receive an alert that the card is active and has cash ready for a payday. Before your loved one ever has a chance to spend your gift at their favorite boutique, the fraudster drains the account.

Meanwhile, even more elaborate schemes called Botnet Attacks bypass the juicy racks of physical gift cards to lay siege upon the websites consumers use to check their gift card balances. Once configured and turned loose in cyberspace, the bots can rapidly test millions of number combinations to match account numbers and stolen PIN passwords.

In late February 2017, web security analysts detected a brute force attack on gift cards that was initiated by the GiftGhostBot. This nasty bot falls into a category known as Advanced Persistent Bots (APB). APBs are bots enhanced with advanced capabilities that help them avoid detection. They can mimic human behavior, tamper with cookies, load external resources, mess with browser automation, and even perform dynamic IP address rotation.

The GiftGhostBot siege lasted over three weeks and peaked in mid March when it was checking about 1.7 million potential gift card numbers per hour, requesting a balance for each match. Sadly, not all gift card companies use botnet defense services despite the fact that 90 percent of login activity for online accounts set up to manage gift cards comes from botnet attackers.

Yet another permutation of gift card monkey business is eGift card fraud. An eGift card is essentially a gift card…but without the card—it usually is sent to the recipient in the form of an electronic message.

According to a leading payment processor, eGift cards were the biggest targets of fraud attacks between Black Friday and Christmas of 2015 (out of all the products sold by their merchants). What’s behind this frightening statistic? In just a few hours, a single fraudster can steal tens of thousands of dollars in eGift cards. Using stolen credit cards, multiple identities, and automated fraud tools—all of which can be procured cheaply and easily on the Dark Web—fraudsters can operate with impunity if you don’t have a strong antifraud system in place.

To learn more about eGift card scams, check out our blog post: A Day in the Life of an eGift Card Fraudster.

What to do? Consumer Reports offers these steps to protect yourself and your accounts:

  • Buy gift cards online directly from the retailer, chain restaurant, or other issuer. Criminals don’t have easy access to those cards. Buy online, especially if you’re purchasing a high-value gift card.
  • Don’t buy in-store racked cards with easily accessible numbers and PINs. If you buy in a retail store, look for gift cards kept behind the counter or in well-sealed packaging. The Retail Gift Card Association advises consumers to inspect the package for tampering.
  • If possible, change the security code as soon as you buy the card. Register the card when you get home, change the PIN, and educate the recipient about what you did and why he or she should not delay in using the card.
  • Get your stolen funds back. Card issuers that use botnet defenses can detect the tiny percentage of fraudulent transactions that may slip through their net, and they may be able to distinguish between honest and fraudulent transactions on your gift card to make you whole again. If your card has been drained, you should call the issuer and ask for reimbursement of your stolen funds. 
  • Secure your home computer. Criminals also gain access to your gift card numbers and PINs by hacking your computer. To help prevent that, make sure your security software is the most up-to-date version, create and use strong passwords or use a password generator.

Learn more about protecting against gift card fraud and download the eBook “eGift Card Fraud: The Gift That Keeps On Taking”.