May 4, 2017 By Mark Samuels 3 min read

Cybercriminals are using fraudulent gift cards to beat the information security measures of retailers. A recent Flashpoint report suggested that malicious actors have become increasingly interested in gift card fraud during the past few years. What is more, these individuals are evolving their techniques in response to changes in security measures.

With the total cost of this type of fraud likely to run into the thousands, retail organizations should investigate ways to help their businesses mitigate the risk of cybercriminal activity.

Unwrapping Gift Card Fraud

The report suggested that cybercriminals have long seen gift cards as a great way to make the most of stolen credit cards. Such errant individuals have traditionally used their ill-gotten credit facilities to buy gift cards online. They could then use or resell these cards without worrying about the credit card numbers being canceled.

The criminals’ activities were undermined as businesses caught on to gift card fraud and increased security measures. Flashpoint reported an increase in the number of cards being declined in late 2015.

As a result, cybercriminals, who had previously built underground empires, found that their stolen cards were no longer viable for sale. This realization led them to take a different approach and pursue other ways of obtaining gift cards, according to the report.

Shifting Tactics

Cybercriminals are now compromising the gift card systems themselves by working out the numbers of legitimately issued cards that have not yet been spent. Many gift cards are numbered sequentially, according to the report.

Fraudsters often turn to automation to help with the laborious number-checking process. Flashpoint referred to the recently discovered GiftGhostBot, which automates thousands of checks against more than 1,000 websites in search of unused gift cards.

CSO Online reported that Flashpoint tracked chatter in underground forums and observed a significant rise in discussions about “cracked” gift cards last summer. The number of conversations per month rose from a nominal amount during the first half of 2016 to almost 600 last summer.

A Growing Threat

The popularity of this new type of fraud, plus the poor level of security measures, led Flashpoint analysts to conclude that this errant activity will increase. CSO Online quoted Flashpoint analyst and report author Liv Rowley, who said that, according to anecdotal evidence from retailers, this type of fraud can total thousands of dollars.

CIO referred to research from Gift Card Granny that suggested that the average holiday shopper purchased two gift cards in 2015. By 2018, the total volume of gift card value is anticipated to hit $160 billion.

As with the Flashpoint research, the CIO article confirmed that prepaid gift cards can be a big target for fraud and money laundering. Retailers should build stronger defense processes and invest in enterprise-class security tools to check the details of card users in real time.

The Flashpoint report noted that gift cards are not held to strict antifraud standards, unlike bank-issued credit and debit cards. The firm advised businesses seeking to address gift card fraud to consider a range of security measures, including:

  • A CAPTCHA system for all online purchases made with gift cards to help prevent instances of gift card checking by bots;
  • A more complex numbering system for gift cards, such as one that uses a mix of both numbers and letters;
  • Requiring correct PIN numbers to check gift card balances or use gift cards for in-store purchases; and
  • Subjecting transactions that use certain gift card management applications to greater scrutiny.

Until gift card security standards catch up to those of credit and debit cards, these best practices are consumers’ and retailers’ best bet to defend against sneaky fraudsters.

More from

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Cybersecurity Awareness Month: 5 new AI skills cyber pros need

4 min read - The rapid integration of artificial intelligence (AI) across industries, including cybersecurity, has sparked a sense of urgency among professionals. As organizations increasingly adopt AI tools to bolster security defenses, cyber professionals now face a pivotal question: What new skills do I need to stay relevant?October is Cybersecurity Awareness Month, which makes it the perfect time to address this pressing issue. With AI transforming threat detection, prevention and response, what better moment to explore the essential skills professionals might require?Whether you're…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today