Examining the 2023 Gift Card Fraud Landscape
How Big is the Gift Card Market?
National Retail Federation (NRF) estimates from 2022 state the global gift card industry is worth more than $440 billion. This market segment saw significant growth since the beginning of the pandemic in 2019 and despite the current economic downturn or fluctuations, Forter’s projections expect the gift card business to continue to grow to $643 billion by 2028(see source 1 in appendix).
What is Gift Card Fraud?
Gift card fraud in a nutshell is the act of draining the value from a purchased gift card for illicit or fraudulent reasons. This comes in a multitude of forms and is gaining traction in the cybercriminal underground as a means to extract funds or key personal information from unsuspecting consumers.
Some of the most common forms of this type of fraud include: refund scams, fake prizes, romance scams, account takeover (ATO) or hacked accounts. In the outline below we will walk you through each of these and briefly discuss how they are accomplished as well as how pervasive they are becoming.
How Pervasive is the Gift Card Fraud Problem?
According to the National Retail Federation (NRF), 27% of survey respondents purchased gift cards between Thanksgiving Day and Cyber Monday, also stating gift cards represented one of the top gift categories(See source 2 in appendix). Looking forward, Numerator, a marketing research firm, is estimating that ~60% of gift shoppers plan to buy a gift card(See source 3 in appendix).
A related sobering statistic from AARP cites, “Nearly one in three Americans have been targeted by a gift card scam.” Although these metrics seem alarming, let’s put these in terms of fraud payment schemes overall(See source 4 in appendix). Pulling from the FTC’s 2021 Sentinel Report, roughly 16% of all fraudulent payments were executed via a gift card or reloadable card(See source 5 in appendix).
Looking at the breakdown above from 2021, Gift Card-related fraudulent payments ranked third in terms of most common means of payment in the fraud cases reported to the FTC. More recent reports show this trend is accelerating significantly as the Covid-19 pandemic has had an astronomical impact on the gift card industry. As people left the house more and more, there was an observed correlation to the number of gift cards purchased. As this change occurred, fraudsters took note and followed suit with analysis firms like Forter noting a quarter-over-quarter increase of nearly 50% from Q4 2020 through Q1 2022(See source 6 in appendix). This trend seems to have plateaued in early 2022 although there is a growing trend related to credit card chargeback schemes that will be discussed later.
Contributing Factors to the Increase in Gift Card Fraud
Regulatory controls placed on gift cards in comparison to regular debit or credit cards as well as other non-cash means of payment have contributed to the uptick in this behavior. To better understand how we got to where we are now, it’s worth unpacking the Truth in Lending Act, the Credit Card Accountability and Responsibility and Disclosure Act (Credit CARD Act), as well as and most importantly the Electronic Fund Transfer Act (EFTA).
Truth in Lending Act of 1968: was created to protect the public from unfair credit card practices.
Electronic Fund Transfer Act of 1978 (EFTA): added protections for consumers around fraudulent purchases as well as stolen card numbers related to credit and debit cards but did not extend these same protections to gift cards. The only recourse for a victim was filing a police report.
Credit CARD Act of 2009: Sections 401 and 402 and the associated amendment to Regulation E of the EFTA added significant protections related to term disclosures; specifically when service and late fees can be applied to the end consumer as well as memorializing the expiration limit for many types of gift cards as a five (5) year term.
Although the modifications these three (3) pieces of legislation made represented steps in the right direction in terms of consumer protections, collectively they fail to protect gift card consumers in the same ways as a credit or debit card, which ultimately makes them a more attractive venue for fraud.
What are the Different Types of Gift Cards? Branded versus Vanilla Explained…
Not all gift cards are created equal in the eyes of fraudsters; some gift cards are only able to be used to purchase merchandise from a specific retailer (branded) whereas other gift cards (Vanilla) can be leveraged the same as cash to make any purchase physical or digital. As graduation approaches and we head back into the holidays, Vanilla prepaid cards such as VISA, Mastercard and American Express are expected to be top choices representing 20% of the overall market segment according to Carat(See source 7 in appendix). During 2022, a noticeable shift was observed where these non-branded cards now account for ~11X fraud rate when compared to their branded peers(See source 8 in appendix). These Vanilla card providers are closely followed by online-only merchants such as Amazon and eBay offering Branded gift cards with physical big box stores like Target and Walmart rounding out the pack.
Branded Gift Cards Most Commonly Leveraged in Fraud Schemes:
Of the companies offering branded gift cards, the following chart offers a breakdown of those most commonly leveraged as a means of fraudulent payment by actual dollars lost by the consumer:
According to the FTC, median losses increased from $700 to $1,000 between 2018 and the first nine months of 2021(See source 9 in appendix). Of the branded cards, Target leads the pack in terms of the average amount of money lost per fraudulent investigation at $2,500 with 30% of victims stating they lost over $5,000(See source 10 in appendix). Target’s related per-card loss median value is significantly higher than any other branded card provider.
Why Are Cybercriminals Interested in Gift Cards, Specifically?
The significant advantage that gift cards bring is an additional layer of anonymity. Cards not being tied to a specific individual or known account as well as the fact many cards sadly still do not have a scratch-off PIN for activation, make it even easier to “take over” gift card-related accounts due to ease of authentication. Other reasons gift cards are appealing to the cybercriminal ecosystem include the fact they cannot be refunded or returned and providers typically offer minimal means of disputing seemingly fraudulent transactions. To further complicate matters, unbranded or Vanilla gift cards are, in effect, the equivalent of cash. Closed-loops or branded cards are generally considered a lower risk by the Department of Treasury as far as money laundering mostly because they can only be exchanged by a specific retail establishment and have no cash-equivalent surrender value. Threat actors have also been observed purchasing cryptocurrency with these gift cards – providing the burgeoning criminal ecosystem with a repeatable method to convert any existing balance into untraceable funds. The most commonly observed cards in these cases include the Vanilla or non-specific-brand cards offered primarily by Visa, Mastercard or American Express. There is no shortage of publicly available gift card to cryptocurrency conversion mechanisms as witnessed by the examples below:
How Does Gift Card Fraud Take Place?
There are two primary means of committing gift card fraud – purely digital interaction or schemes that require some type of in-store or in-person interaction. The majority of digital methods are secondary to the gift cards already having been purchased whereas the in-store or physical methods often involve physical stock manipulation or some form of insider threat. The breakdown below walks through some of the most common digital and physical attack vectors.
In-Store or Physical/Digital Combination Threats:
According to a recent Better Business Bureau (BBB) report, the most common attack type is the barcode sticker replacement scheme in which threat actors just place a sticker over the existing card’s barcode with a barcode related to a different gift card owned by the threat actor(See source 11 in appendix). Uneducated and unaware consumers will take these cards to the register and pay without realizing the purchased gift card doesn’t align with the customer-intended purchase.
The only countermeasures available to combat this scheme are two-fold, adding a scratch-off cover over the scannable barcode and/or significant in-store training for cashiers to be on alert and be able to identify these altered cards as customers go through checkout. This scheme can be performed by an employee or an external threat actor.
A similar variant of the scheme above involves fraudsters going into physical storefronts and copying multiple gift cards details – often even scratching off any coverings, capturing the PIN codes, then recovering the PIN or barcode areas with a silver sticker that mimics the original scratch-off areas visually. Once the actual gift card is activated by an unsuspecting customer, the fraudster then depletes the loaded balance. Similar to above, training cashier or point-of-sale employees to be alert and on the lookout for modified cards and/or the related card packaging.
A scheme more commonly perpetrated by insider threats is often referred to as the “Switcheroo”. This style of attack is successfully achieved when a cashier keys an active but zero balance gift card at the register awaiting a customer that hopes to load a new gift card. During the checkout process, the employee switches out the customer-balance-loaded card for the active-but-zero-balance card they have stored at the register. The best way to counter this threat is to not sell Vanilla gift cards – instead offer only branded cards making it easier for customers to realize the switch at the point of purchase.
Another typically-insider-driven gift card scheme is money laundering in its simplest form. A cashier will take a single gift card and activate a card at one cash register without paying for it. Next, the cashier goes to a different register, buys another gift card – paying with the first gift card, then goes back to the original register and voids the initial gift card transaction. This play yields the secondary gift card being cleanly funded with the now non-existent funds of the first. The best way to combat this type of fraud is to eliminate point-of-sale card activation – instead requires scratch-off PINs.
Purely Digital Threats:
According to the FBI, in 2021 alone Americans lost over one billion dollars to romance scams(See source 12 in appendix). The vast majority of these losses were realized by the illicit transfer of gift-card-related funds. Other significant digital threat vectors include phishing attempts that leverage a wide variety of lures but ultimately have a similar objective – typically leveraging malware like common information stealers to capture a victim’s banking information or other personally identifiable information (PII) that can then be leveraged in other downstream fraudulent or criminal activities. To offer first-hand examples of this, check out the survey mailer below:
Other Consumer Engagement / Gift Card Fraud Phishing Threats:
Another direct-to-consumer fraud style involves scammers who impersonate a specific business and typically engage victims stating they need the current gift card details to correct a security issue or something similar. According to the Federal Trade Commission (FTC), the breakdown of imposter contact methods is 37% via phone call, 18% by email, 16% via social media channels and the remainder accounted for by cases where the method of contact was not explicitly defined(See source 13 in appendix).
Approximately 41% of these types of gift card scams involved supposed Amazon or Apple employees with a diverse makeup accounting for the remainder, see the graphic below:
Government Imposter Cases:
Similar to the corporate imposter threat defined above, another extremely common attack type involves cases where the impersonator represented themself as a US Government employee. Examples were observed related to IRS and Tax refunds, Medicare benefits, Social Security payouts, Federal Grant programs, Student Loan debt cancellation programs, common sweepstakes programs and others. As it relates to Government imposter scams, AARP provided a succinct list of things the Government will never do(See source 14 in appendix):
- The Federal Government will not call you unsolicited and ask for personal information. Typically any important communications will come via the U.S. Postal Service (not via phone call, text message, social media engagement or email).
- The Government will not offer a grant without an application and grants are always for a specific purpose. No grants require upfront payments before the benefit, grant or refund-related payout.
- The Government will never suspend any Social Security or Medicare-related benefits because someone misused an individual’s identification and no Federal law enforcement agent will ever bully an American into revealing personal information such as bank account details or account login credentials.
- Federal Agencies do not accept payment via gift cards, wire transfers or cryptocurrency.
What Demographic Groups are among the Most Commonly Targeted?
The FTC provided a 2022 update breaking down gift card fraud victimology stating 43% of related fraud schemes involve individuals between the age of 20 and 29, with another notable category being the 70-79 year-old age bracket representing 23%. The most glaring statistic looking across these two groups was the median loss in the 70+ age bracket was significantly more(See source 15 in appendix).
Credit Card Chargeback Scams and Their Growing Connection to Gift Card Fraud:
A more recent and growing trend is the connection between credit card chargeback scams and gift card fraud. In general, credit card chargeback schemes are when a fraudster has stolen credit card information and leverages these details to make an online purchase only to almost immediately ask for a refund where the funds get redirected from the original payment method to a new gift card.
In these cases, the credit card’s owner reports the unauthorized initial purchase and requests a chargeback resulting in the associated merchant losing twice the original transaction amount as well as being stuck with any hidden or chargeback-related fees. Conversely, the fraudster gets to walk away with a legitimately funded gift card that is clean for future use.
Gift Card Fraud Ecosystem and Burgeoning Illicit Support Structure:
Similar to the democratization of ransomware (RaaS), the gift card fraud ecosystem is also specializing and any individual looking to get educated on how to perpetrate gift card fraud can easily find tutorials on various gift card-related forums such as the examples below:
- Get Refunded for a Used Gift Card (Zkingcarder001)(See source 16 in appendix)
- How to Load a Gift Card Without Paying(See source 17 in appendix)
- Illicit Amazon gift card vendor/seller example(See source 18 in appendix)
- Selling Gift Cards for Cryptocurrency(See source 19 in appendix)
- Redeeming a Vanilla Card for Cash(See source 20 in appendix)
- Fraudsters showing the breadth of their illicit gift card collection/scale of the operation(See source 21 in appendix)
To further compound these points there is also a significant support network available via Youtube or Tiktok offering countless tutorials on how to properly perform the various schemes successfully as seen below:
Key Take-aways and Forward-Looking Predictions:
The FTC provided a succinct Bottom-Line-Up-Front or BLUF line: Gift cards are for gifts, not payments. Period. Scammers, fraudsters as well as more sophisticated threat actors are all drawn to gift cards as a means of transferring illicit funds due to the fact they are not tethered to a specific individual, they are hard to trace (yes prepaid gift cards tied into credit card systems like the Visa / Mastercard / American Express Vanilla cards mentioned above can be individually tracked if required), and are easily converted into cash, cryptocurrency or other resalable goods. Additionally, at least in the current status quo, gift cards are not subject to the same level of regulation as credit or debit cards.
If we zoom out from the initial purely monetary incentives, other entities such as organized crime syndicates and nation-state actors also love gift cards for many of the same reasons especially the ability to convert funds to cryptocurrency – offering a means of further obfuscating their true identity as well as to potentially evade OFAC sanctions.
How Should Gift Card Victims Respond, or What Actions Can Individuals Take?
Step 1: Document everything and always keep gift card receipts.
Step 2: If the fraudster attempts to communicate directly, don’t take the bait.
Step 3: (If defrauded) Contact all three (3) credit bureaus and freeze your credit:
- TransUnion: 1-888-909-8872
- Experian: 1-888-397-3742
- Equifax: 1-800-349-9960
Step 4: Update any account passwords that may be related to the fraud situation, if any
malware was installed (ie infostealer concern), likely a good idea to reset the device to factory settings and/or reimage it along with resetting all account passwords if the respective account was ever accessed by that specific device.
Step 5: Report the fraud to local law enforcement and the Federal Trade Commission.
Step 6: Contact the issuing company of the specific gift card. The most common
vendors, please see the list below:
- Amazon: 1-888-280-4331
- Google Play: link to file a report
- eBay: Chat with an eBay customer support representative here
- Steam: link to file a report
- Walmart: 1-800-925-6278
- Apple / iTunes: link to file a report
What Enterprises Can Do:
- Identify deep/dark web mentions about gift cards for sale.
- Map how the listed cards are leveraged by fraudsters and their related organizations.
- Identify which cards are most targeted and evaluate the security controls in place for less desirable cards in comparison.
- Implement improved security controls for the commonly leveraged types of gift cards.
- Work with a managed threat intelligence service provider to monitor for gift card fraud so cards can be canceled pre-fraudulent impact.
- Quantify losses and work with both legal entities and law enforcement to increase the cost of gift card fraud for the threat actor community.
What Regulators Can Do – Summarized by the Center for Data Innovation(See source 22 in appendix):
- Update EFTA to handle gift cards the same as debit cards, which would encourage companies to implement proven security features to protect against liability.
- The FTC should introduce alerts on point-of-sale systems to increase awareness of gift card scams at the point-of-purchase.
- The FTC should launch a data-sharing pilot program designed to increase the number of data contributors to the Consumer Sentinel network.
- The FTC should break out data for payments by virtual, mobile, and physical gift cards on Sentinel.
Nisos is The Managed Intelligence Company®. Our analyst-led intel investigations, assessments, and monitoring services empower your security, intelligence and trust and safety teams. We provide accurate, customized intelligence that guides your security and risk decisions – protecting your organization, assets, and people. Learn more at nisos.com.