Gift Cards: The Cyberthief’s Best Friend

Evan Schuman is a guest contributor to the Sift Science blog.

Has there ever been a happier partnership than a fraudster and his gift cards? It’s the perfect way to launder stolen funds while also getting a multi-day head start over law enforcement. Much of the reason involves how retailers handle—and, most critically, track—gift cards.

Scenario: A thief has just stolen a credit card from a victim at a coffee shop. At that moment, the thief is fighting the clock. How many minutes will it take for the victim to discover the theft? Will she assume she misplaced it and spend more minutes in a pointless search for the missing card? The thief is counting on at least 30 minutes before the theft is reported to the issuing bank. And, yes, the thief loves a bank’s long hold times.

The thief has that much time to get his hands on cash. The fastest route is typically to buy as many gift cards (physical or digital) as that credit card’s limit will permit. In a perfect world, that might only get the thief a few more minutes, but it often buys them days and sometimes more than a week. Why? When the credit card is reported as stolen, the bank immediately shuts it down.

But that stolen card report doesn’t directly cancel whatever was recently purchased with the card. It can take days before the retailer will identify the gift cards purchased and individually cancel them. That is more than enough time for the thief to cash out the gift cards, or to resell them on a secondary marketplace for a profit.

Starbucks, Target Got Stung

Little of this is new, as gift card fraud has been a popular theft tactic for more than a decade. And there are often security holes. Several years ago, Starbucks and Target got stung when they displayed real gift cards (instead of non-functional versions to show the pictures available) in places where shoppers could see and touch them before purchase. That allowed thieves to capture many gift card numbers and then simply wait for a shopper to select and activate that card. The cash was then available to the thief.

Apple recently warned consumers of a new gift card fraud twist, where thieves trick consumers into buying e-gift cards—and revealing the number—to bail out an arrested relative. Virtual gift cards are an extremely effective way for thieves to monetize stolen credit card info, since they can be either cashed out or resold. According to ACI Worldwide, digital gift cards have the highest fraud rate of all products sold, at 9.55%.

All of this is happening while American consumers continue their love affair with gift cards. Starbucks, for example, reported that it made more than $1.1 billion from gift card sales during last year’s holiday season. They went more granular and noted that almost 2.5 million Starbucks cards were activated on a single day: Christmas Eve.

Merchants fight back

That flood of gift card purchases plays a significant role in anti-fraud strategy. Some retailers have tried putting low ceilings on the dollar value of gift cards that can be purchased at one time, to sharply reduce the value to thieves. But retailers have found far too many legitimate customers who want to buy a lot of gift cards at once (for example, when doing some holiday shopping). In short, gift card limits now have the real potential to hurt legitimate sales. What’s a retailer to do?

Gift card fraud monitoring is no longer a nice-to-have option. Every gift card sale should be tracked and linked to a card. When a credit card is stolen, it needs to automatically send an alert canceling all purchased gift cards (purchased after the fraud was reported).

And e-commerce merchants selling digital gift cards should seek out anti-fraud tools that rely on a variety of behavior patterns to identify fraudsters proactively – and block the purchase. Digital gift cards may be more attractive to fraudsters, but they’re also wildly popular with consumers. With online gift card sales growing 29% year over year, this is one revenue opportunity you don’t want to miss out on.