Search This Blog

Saturday, July 31, 2010

Gift Card Fraud

Gift Card Background: By their nature, gift cards are anonymous. There is no name or identity attached to them, only the brand of the card. They can be bought with different types of tender: credit or debit cards, checks, cash, money orders. Companies sell their gift cards at their stores or on their websites. Many companies also offer their gift cards through other merchants, such as kiosks or racks in grocery stores. Gift card sales have trended up, primarily due to convenience of purchase, with sales estimated at $178 billion in 2010, according to study from Boston-based Aite Group LLC. This lucrative business has drawn the interest of scammers. One major retailer experienced $250K in gift card fraud losses in 2009, and losses are trending even higher in 2010.


Gift cards were first offered in the mid-1990s as replacements for traditional gift certificates, when retailers turned to this type of offering to reduce the incidence of counterfeit gift certificates. Merchants do not have to give cash back, and consumers are more likely to pay full retail price with a gift card. Most card recipients spend more than the value on their gift card, 25% more on average. Retailers’ cards, which are good only in their stores, are called closed-loop cards. This is due to the fact that they can be redeemed only by the retailer that issued the card. In addition, most of these types of cards are not reloadable and require no information on the purchaser or the recipient.

Financial institutions entered the market to capitalize on the increasing popularity of gift cards as a consumer payment method. Instead of issuing closed loop cards that could be used only within a single merchant’s system, financial institutions offer ‘open loop’ gift cards that are branded by one of the payment networks (such as Visa, Discover, MasterCard, American Express), and can be used anywhere that those brands are accepted. Some pre-paid cards are one-time use cards, while many may be reloaded, unlike most retail gift cards. This reloadable feature has made network-branded cards popular with the unbanked or underbanked population, and it has also made the cards an easy avenue for money laundering. To combat this, financial institutions reacted by putting restrictions on load limits and requiring personal identification information to activate the reloadable features of the network-branded prepaid cards.

Closed vs. Open Loop Gift Cards

Closed Loop:                                                                                        
• Can be used at one store/chain                                                  

• May be single-use or reloadable

• Have multiple card designs

• Usually no fee to issue      

Open Loop Cards:

• Can be used at millions of locations
• Typically reloadable

• Usually has up front/activation fees and account maintenance fees

A hybrid of the open and closed loop cards is the semi open loop card, which can be used within a set geographic location, such as a resort or a shopping mall. The card may be used at any store or restaurant within that location.

Channels for Gift Card Fraud: Gift cards can be purchased with stolen or counterfeit credit or debit cards. The fraudster may do this to turn the gift cards into quick cash. He can offer a $200 card for $100, and it is all clear profit. He may want to hit the stolen debit/credit card hard and fast before it is shut down; by purchasing gift cards, he can take his time “shopping”. In other cases, the gift card is purchased legitimately, and the fraud takes place after the point of purchase. The second type of fraud is discussed in this paper.

One type of gift card fraud is related to virtual gift cards. In this instance, a legitimate customer logs onto a company’s website and purchases an electronic gift card. Then, a fraudster, using email sniffers, Trojan horses, or some other hacking method, accesses the virtual gift card information. Before the intended recipient can use the gift card, the fraudster uses it to purchase another gift card, or several gift cards, uses those cards to purchase more gift cards. The result is an electronic trail that takes days to untangle. In the meantime, the fraudster has purchased big-ticket items with his gift cards, or he has sold them for cash on an online auction site. The legitimate card recipient tries to use the card and finds that it is worthless.

In a second scenario, the fraudster goes into the local grocery store and grabs 20 or 30 gift cards for a national department store. He scans them with a portable card reader or he takes them to the restroom or home, writes down the card numbers, uncovers the security codes on the backs and makes note of them. Then he returns the cards to the store display for some unsuspecting person to purchase. He monitors the department store’s website for the cards to be purchased, or he calls the gift card phone number, enters the code to find out if the card has been loaded. He then activates them, and purchases new gift cards, and more gift cards with those gift cards, again creating a long electronic trail. Both types of fraud are called “tumble and swap.”

Store GIft Card Kiosk


In both instances, legitimate customers purchased the cards, but the cards were intercepted by fraudsters before the customers could use them. By the time the gift card issuer tracks the card purchases, the funds are gone.

Fighting Gift Card Fraud: Traditional methods of fraud prevention do not work with gift card fraud. There is no customer information to verify, no address, no social security number, no date of birth. In the case of online purchases for the “tumbled and swapped” cards, the gift card issuer may look at IP address for known suspicious activity. The issuer may also want to look at type of purchase or velocity, queue the transaction for manual review if another gift card is purchased with the original card within a certain amount of time of activation. Products that identify IP addresses, suspicious geolocations can alert the merchant to possible fraudulent behavior. To complicate matters, fraud rings may find it easier to cover their tracks by emailing gift cards back and forth among email addresses.

Another product alerts retailers to particularly prolific users (say, 10 calls in 30 days or inquiries on five cards from the same computer) in "exception reports," which can be used to block access.

At the point of sale, merchants can assist in the fight against fraud. By keeping the cards in a secure location, they can limit the likelihood that a fraudster will access card information. Cashiers can also inspect the cards and packaging for tampering.

What Consumers Can Do: Consumers can guard against gift card fraud by doing the following:

• Ask the cashier for a gift card that is kept behind the counter to reduce the possibility of tampering.

• Select gift cards with tamper-resistant packaging and look them over carefully.

• Immediately after purchase, ask the cashier to check the balance on the card.

• Save the receipt or give it to the recipient. Some merchants will replace lost or drained gift cards.

• Register the card on the retailer’s website; this can help in the case of fraud.

• Be wary of purchasing gift cards from online auction websites. They may be of little or no value.

Summary: While many merchants claim there will be no refunds if gift cards are lost or stolen, most will reimburse victims of this type of fraud. This leaves the retailer to bear the cost of the fraud, as well as the expense involved in investigation and resolution. To protect their brand, they will take the loss.