It often pays to look a gift horse in the mouth – recognizing these types of gift card fraud will go a long way toward helping you stay safe from this growing threat not just this holiday season.
It’s that time of the year again, when we’re all online looking for presents to give and receive. Gift cards are an increasingly popular choice, which means you might well be buying or receiving them during the festive period. In fact, they’ve become a huge global market projected to grow at a rapid clip over the coming years to reach a staggering US$2 trillion by 2027. Needless to say, the popularity of gift cards hasn’t escaped the notice of cybercriminals and online fraudsters, who’ve developed a whole underground industry focused around gift cards.
Some scams will use the cards themselves as a lure to trick you into handing over sensitive personal and financial information. In other cases, the fraudsters will impersonate officials, demanding payment via gift cards. Whatever the scam, get familiar with these tactics to stay safe online this holiday season.
Why are gift cards popular with scammers?
In a lot of ways, gift cards are popular with cyber-criminals for the same reason they’re popular with consumers. They’re a near-ubiquitous store of money which can be used to buy a huge range of goods and services. More specifically:
- They’re easy for consumers to purchase, online or in-store
- Most retailers and big-name brands now offer some form of gift card
- There are fewer protections than if the buyer were using regular payment cards
- Just like cash, once the balance on the card is gone, it’s gone
- There’s no need for a scammer to provide a bank account for payment – they just need the gift card PIN/code
This has turned gift cards into a hot commodity on the cybercrime underground. In one recent case, a threat actor tried to sell a trove of 900,000 such cards with an approximate value of US$38 million on a dark web site. The cards were stolen from online discount card shop Cardpool and could be traced back to thousands of brands – including AirBnB, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target and Walmart.
Top attack tactics to watch out for
As mentioned, cyber scammers have a range of tactics at their disposal. Here are five of the most common threats to look out for:
- A threatening ‘official’ demands payment
Here, the scammer masquerades as a legitimate official from the government, a utility provider or another organization. They’ll typically threaten the victim, perhaps by claiming they’re owed unpaid taxes or outstanding bill payment and stress the urgency of payment. This is classic social engineering designed to force the victim into hurrying their decision making.
The scam could arrive in the form of a phishing email, or text, or even a phone call (known as “vishing”). Payment is required by gift card, with the scammer usually specifying the type of card they want to be used for the payment. All of these should be red flags. As the FTC says, no real business or government will require payment via gift card.
- Bots steal your balance
Sometimes the bad guys go straight to source, and hunt digitally for a record of your gift card with the issuer. How do they do this? By using automated bots to probe bank-end IT systems at retailers and other organizations for details on card balances and card numbers. With this information they can use the card as if they were the official cardholder. This is an area ripe for exploitation as research shows that Americans alone are sitting on as much as $15 billion in unused gift cards and credits.
- In-store tampering with cards
Scammers don’t just work online. Another popular ploy is to visit stores where gift cards are or sale and steal the numbers/secret PINs. Sometimes they’ll go to extreme lengths to disguise their actions, such as recovering PINs with a sticker. Depending on the card, they may wait until the victim goes online to register and load funds onto the card before using it online or making a duplicate to use in-store.
- You won a prize!
Another category of scams uses the lure of a promised prize to trick the user into paying a fee via gift card. Unsolicited contact from the fraudster will inform the victim that they’ve won big, but need to pay a small sum to claim their prize. It could be anything from a car to a holiday – it goes without saying that there is no prize.
- Phishing attempts to steal your data
Gift cards themselves can be used to trick users into handing over their personal details. This is akin to a classic phishing attack, where the recipient is approached via email, text or social media with the offer of a large gift card balance. To claim it they need to fill in some personal and possibly financial details, which the scammer will then sell on the dark web or use themselves for identity fraud.
How to stay safe from gift card scams
Raising and maintaining user awareness is a large part of the battle against gift card scams. The following tips will go a long way towards helping you stay safe online:
- Buy only from retailers that store gift cards in locked cases
- If you buy online, purchase directly from the retailer rather than discount stores
- Only buy gift cards that feature PINs
- Be sceptical – if an offer looks too good to be true, it usually is
- Be aware that no business or government official will ask to be paid in gift cards
- Never enter personal and financial details after unsolicited contact online
- Use cards as soon as you can
- Double check the card balance as soon as you get the card
Remember, the bad guys are constantly thinking of new ways to monetize stolen data. The above is, therefore, by no means an exhaustive list. But it should be a good place to start.
Further reading: Tips for buying and sending gift cards
written by Phil Muncaster, ESET We Live Security