Article

Holiday Trends in Gift Card Fraud — and How to Beat It

Online holiday sales are continuing to climb as shoppers both spend more overall, and increasingly turn to their phones and laptops to buy gifts. While overall retail sales in the U.S. were expected to grow only 3.1 percent over the 2017 holiday season, e-commerce sales were projected to grow 16.6 percent.

The later in the holiday season, the more likely a shopper is to turn to eCommerce. According to a new survey from the National Retail Federation, 51 percent of last-minute shoppers (those who had waited to buy gifts after December 12, 2017) were planning to buy their gifts online. Shopping online is incredibly convenient — but the most convenient online gift of all is one that can be delivered digitally after the purchase. That same survey found that a whopping 39 percent of last-minute holiday shoppers were planning to purchase gift cards.

This is great news for companies who want to use gift cards to increase their bottom line — but it also brings with it a fresh wave of opportunity for fraudsters.

Gift card fraud often doesn’t get the same attention that other online data fraud does, in part because no personally identifiable information (PII) is disclosed, and in part because gift card fraud is relatively difficult to detect. Yet fraudsters are finding gift card fraud to be a lucrative operation — and harming the margins of online retailers.

At Whitepages Pro, we’ve been listening to merchants throughout the 2017 holiday season as they talk about the different patterns of fraud and abuse they’ve noticed. Over and over, we hear that gift card fraud is on the rise:

  • Fraudsters are using gift cards to transfer fraudulent money to other accounts within the merchant ecosystem, making it harder to track
  • Fraudsters are buying digital gift card codes with stolen credit card information, then selling them on 3rd party websites for cash
  • Fraudsters are combining fraudulent gift card balances with legitimate cards, further complicating a business’ ability to review fraud

Along with fraudulent gift card purchase, fraudsters are also attacking gift cards issued to legitimate customers, either through account takeovers or by hacking into a retailer’s gift card system to drain gift card balances. Because few gift cards require pins, armies of bots can be programmed to test stolen gift card numbers until they find one that has a balance on it.

Many companies simply don’t have the same verification checks in place for digital goods like gift cards as they do for physical products. They often request less upfront information, which limits the merchant’s ability to verify identity, and makes these sorts of transactions high-risk targets for fraud.

How can you protect your company from this growing type of fraud?

  • Implement the same verification checks when customers are purchasing digital goods as other products, requiring email-to-name, name-to-address, email longevity, and other standard matches in order to complete the purchase
  • Set rules to screen for multiple purchase attempts from the same device ID, suspicious device IDs, and other negative indicators
  • Screen for gift card-specific fraud indicators, such as not customizing the gift message
  • Require a PIN in order to use the gift card, and track log-in attempts, account information changes, and log-in origination inconsistencies to screen for hacked accounts

While gift card fraud is similar in principle, studying past fraudulent gift card orders from your company can help identify behavior characteristics particular to your business.

Note that some of those characteristics may be different from gift cards to other transactions for physical products from your company. Set specific rules and a separate review queue for digital product transactions in order to better target this kind of fraud, and always follow best practices for preventing gift card fraud.

Learn more about how Whitepages Pro helps retailers prevent online fraud here.

Thanks for reading! You might be interested in these posts, too: