Gift Card Fraud: A Guide for Retail Security Teams
Gift cards were the second most popular items purchased by Americans over the holidays last year according to the National Retail Federation. Projected growth in gift card sales means that understanding fraud tactics is critical for loss prevention and brand protection over the next decade.
Gift cards are available through most major retailers and can be purchased physically or digitally, making them a convenient option on anyone’s gift list.
Retailers around the world are embracing gift cards as a part of their product offerings. The industry is expected to grow to $750 billion by 2026, aided by the popularity of e-commerce and virtual gift cards. But there’s a catch: gift cards are also one of the most common (and easy) methods of defrauding retail customers.
Scammers use a number of tactics to commit gift card fraud, many of which are openly discussed or sold on anonymous platforms through the dark web. This article sheds light on what those tactics look like, and what retail security teams can do to mitigate gift card fraud and stay threat-informed.
Gift Card Scams Take a Number of Forms
Gift card fraud schemes unfold in a variety of ways—in physical storefronts, over the phone, and online. Regardless of the tactic used, there is almost always an element of the attack that plays out on the dark web.
The dark web gives bad actors an anonymous platform for openly offering:
- How-to discussions about the latest gift card fraud strategies
- Marketplace listings for:
- Stolen gift cards
- Gift card fraud services
- Tools used to commit gift card fraud
Accessing the dark web informs retail security services about card scam tactics from the source—which is immensely valuable considering how adaptive and creative scammers are at exploiting gift cards. Here are 7 common gift card fraud strategies:
1. Credit Card Rewards Program Hacks
For this type of hack, scammers obtain an individual’s personal financial information, hack into their bank account, and access credit card rewards program credentials (rewards are typically offered in the form of credit card payments, products, or gift cards). Then they redeem rewards points for gift card numbers, which they convert to cash or sell at discounted rates.
Discounted gift cards for a popular online retailer for sale on the dark web—discovered using Beacon.
2. Gift Card Number Theft
In this example, scammers visit a physical store and record gift card numbers directly off the shelf. If cards are PIN-protected, they peel off the sticker to reveal the PIN and either re-adhere it or replace it with a fresh one. Then they monitor gift card balances for those cards online. When the cards are topped up, hackers immediately transfer the balance or convert it to cash. Alternatively, scammers can use stolen numbers to create a physical duplicate gift card to either use or resell.
3. Revenue Services Calls
Some scammers pose as the CRA, IRS, or agents from another reputable organization over the phone. They use social engineering tactics to convince victims to make payments (e.g. to avoid tax evasion charges) and request them to settle up in the form of gift cards. While this might sound like an obvious scam, it has a successful track record. Some scammers even walk victims through the purchasing process over the phone while they source gift cards online or in-store.
4. Classified Ads
People often sell unwanted gift cards on classified sites like Kijiji and Craigslist. Scammers contact a seller and request a 3-way call with the gift card issuer to verify the card balance. The scammer obtains the gift card number and PIN during the conversation, and drains the card balance or converts it to cash.
5. Gift Card Balance Monitoring
Gift card bots are known to circulate on dark web marketplaces. This allows scammers to hack into retailers’ active gift card databases and transfer available balances en masse.
An example of a former gift card bot discovered on the dark web using Beacon.
6. Merchandise Theft
Scammers steal store merchandise and return items to a different location. Retailers sometimes offer customers gift cards for returning merchandise with no receipt. Scammers then sell these gift cards at a discounted rate through classifieds or third-party gift card sites.
7. Discounted Gift Card Sales
There are a number of gift card resale or online auction sites that offer unused online gift cards at discounted prices. Many customers on these sites are unaware that some cards are listed by scammers using the above tactics.
Why Gift Cards?
You might be wondering, “surely, there must be more lucrative ways for hackers to earn money—so why are gift card scams so popular?”
Buying gift cards is so common that many people don’t think twice about them as scam targets. Cards are associated with major brand names that have established customer loyalty. Gift cards are a low-risk, easy way for scammers to hide behind household names, especially since there is no way to track who’s behind the scam once a gift card is in a hacker’s control.
Even though most gift cards contain relatively small values, the sheer volume of gift card purchases makes them lucrative for scammers, especially when bots help streamline and scale hacking processes. Additionally, retailers don’t lose financially in this situation—only the customer does. This often leaves scammers undetected by retail security teams, who aren’t necessarily aware of unreported losses or tactics hiding on the dark web.
Gift Card Security Solutions
Scams still have a major impact on customer satisfaction and brand loyalty, even when gift card fraud doesn’t cause retailers direct financial losses. If customers find out they’ve been gift card scammed, they might mistrust your business entirely—even if they bought the card through a third-party retailer.
There are a number of solutions that retail security officers can enforce to prevent gift card fraud:
Establish physical gift card security. This could mean keeping gift cards secured in glass cases rather than on an open rack.
Strengthen gift card security features. Ensure gift cards have additional security PINs. Cards can also be designed to set original PINs at the time of purchase since sticker-protected PINs can still be uncovered by scammers.
Limit maximum gift card amounts. This limits financial losses for the customer if their card gets intercepted.
Stay up-to-date with consumer scams using the Federal Trade Commission’s Scam Alerts.
Educate employees. Gift card fraud should be a part of basic training for retail employees and security teams. For example, employees should be trained to detect tampered PIN stickers or keep an eye on exposed gift card racks for suspicious loiterers.
Educate customers. Invest in fraud prevention signage near gift card racks or cashier tills. Some preventative tips include:
- Never respond to any requests to make payments with gift cards.
- Use gift cards as quickly as possible, giving hackers less time to exploit balances.
- Check gift card balances frequently and immediately report suspicious activity.
The reason we know about these common gift card fraud strategies is because they were reported by victims and investigated. What if retailers could learn about these adaptive hacking strategies before they reach a customer service department, law enforcement, or the media?
Before gift card fraud tactics reach customers, they must originate from somewhere—and that “somewhere” is often the dark web. Access to dark web forums and marketplaces informs retailers exactly how bad actors are defrauding customers.
Users discussing gift card fraud strategies on Dread, the dark web’s equivalent of Reddit—discovered using Beacon.
Hackers are continuously developing new tactics to surpass security strategies, so it’s crucial for retailers to access recent information on these threats directly from criminals. For example, if a new gift card database bot appears on the dark web, IT and security personnel can learn about its functionality and adapt their access control systems to prevent exposure.
The dark web is notoriously dangerous and time-consuming to navigate without specialized tools. Beacon allows retail security teams to quickly and safely access critical information on the deep and dark webs. Developing security measures to combat evolving scamming techniques will have massive impacts on loss prevention and customer loyalty as the gift card industry expands.
Which gift card fraud tactics are targeting your business right now?
Schedule a demo with us to find out.