May 4, 2017 By Mark Samuels 3 min read

Cybercriminals are using fraudulent gift cards to beat the information security measures of retailers. A recent Flashpoint report suggested that malicious actors have become increasingly interested in gift card fraud during the past few years. What is more, these individuals are evolving their techniques in response to changes in security measures.

With the total cost of this type of fraud likely to run into the thousands, retail organizations should investigate ways to help their businesses mitigate the risk of cybercriminal activity.

Unwrapping Gift Card Fraud

The report suggested that cybercriminals have long seen gift cards as a great way to make the most of stolen credit cards. Such errant individuals have traditionally used their ill-gotten credit facilities to buy gift cards online. They could then use or resell these cards without worrying about the credit card numbers being canceled.

The criminals’ activities were undermined as businesses caught on to gift card fraud and increased security measures. Flashpoint reported an increase in the number of cards being declined in late 2015.

As a result, cybercriminals, who had previously built underground empires, found that their stolen cards were no longer viable for sale. This realization led them to take a different approach and pursue other ways of obtaining gift cards, according to the report.

Shifting Tactics

Cybercriminals are now compromising the gift card systems themselves by working out the numbers of legitimately issued cards that have not yet been spent. Many gift cards are numbered sequentially, according to the report.

Fraudsters often turn to automation to help with the laborious number-checking process. Flashpoint referred to the recently discovered GiftGhostBot, which automates thousands of checks against more than 1,000 websites in search of unused gift cards.

CSO Online reported that Flashpoint tracked chatter in underground forums and observed a significant rise in discussions about “cracked” gift cards last summer. The number of conversations per month rose from a nominal amount during the first half of 2016 to almost 600 last summer.

A Growing Threat

The popularity of this new type of fraud, plus the poor level of security measures, led Flashpoint analysts to conclude that this errant activity will increase. CSO Online quoted Flashpoint analyst and report author Liv Rowley, who said that, according to anecdotal evidence from retailers, this type of fraud can total thousands of dollars.

CIO referred to research from Gift Card Granny that suggested that the average holiday shopper purchased two gift cards in 2015. By 2018, the total volume of gift card value is anticipated to hit $160 billion.

As with the Flashpoint research, the CIO article confirmed that prepaid gift cards can be a big target for fraud and money laundering. Retailers should build stronger defense processes and invest in enterprise-class security tools to check the details of card users in real time.

The Flashpoint report noted that gift cards are not held to strict antifraud standards, unlike bank-issued credit and debit cards. The firm advised businesses seeking to address gift card fraud to consider a range of security measures, including:

  • A CAPTCHA system for all online purchases made with gift cards to help prevent instances of gift card checking by bots;
  • A more complex numbering system for gift cards, such as one that uses a mix of both numbers and letters;
  • Requiring correct PIN numbers to check gift card balances or use gift cards for in-store purchases; and
  • Subjecting transactions that use certain gift card management applications to greater scrutiny.

Until gift card security standards catch up to those of credit and debit cards, these best practices are consumers’ and retailers’ best bet to defend against sneaky fraudsters.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today