Gift Card Scammers Skirt Security with New Tricks

With security improving around gift cards, scammers are resorting to new tactics, including old-fashioned trickery and new technology. "As the locks have gotten more sophisticated, so have the lock picks," says Ben Jackson, a senior analyst at Mercator Advisory Group, a Maynard, Mass.-based company that tracks the consumer payments industry.

Gift cards attract criminals because they're big business. U.S. consumers loaded $112.3 billion onto gift cards in 2012, according to Mercator reports published in August. The figure includes both closed-loop gift cards, which can only be used at a single retailer, and open-loop cards, which can be used at any store that accepts them. The dollar amount loaded on closed-loop cards grew 4 percent from 2011, while the open-loop market grew 7 percent.

"The thing about gift card fraud is it's the old, ‘John Dillinger, why do you rob banks?' ‘Because that's where the money is,'" Jackson says.

Classic schemes evolve Thieves continue to use some of the same scams they pioneered several years ago, experts say, but often with a twist. In a classic gift card scam, a thief checks gift cards displayed in a store and writes down identifying information or lifts it from the card's magnetic stripe using a scanner. The crook then goes home and repeatedly checks online to see when the card is activated (usually this is done when the cashier rings up the purchase of the card). Once activated, the thief spends the card balance online.

In another traditional scheme, a thief will apply a bar-code sticker over the genuine bar code of a gift card in a shop. When the sticker is scanned, it activates a blank card that the crook has stolen instead of the card the consumer is purchasing.

Technology is allowing scammers to streamline part of the process, says Jackson. Rather than having to hit "refresh" on their computers until they see that a card has been loaded with value, thieves now use computer software that automatically checks the value of a card multiple times in a short span. Card processors have caught on, however, and now consider such repeated value checks a red flag for fraud.

Card manufacturers are also beefing up security by upgrading packaging to make it harder for thieves to record card identification numbers. But fraudsters have, in turn, adapted by using "social engineering," otherwise known as the traditional tool of the con man: the gift of the gab. They're approaching merchants directly to obtain the necessary card data.

Often this social engineering takes place at the point of sale, Jackson says. Scammers telephone a store, reach a clerk and identify themselves as representatives for the company's central office. They'll ask the clerk to activate a card, load it with value, and then give the thieves the identifying numbers so they can check that it was activated properly.

"They're essentially creating money out of thin air," Jackson says.

A similar, darker, scam involves callers using threats to try to get information from retail employees. Stores in Savannah, Ga., received warnings that the stores would be blown up if a store manager didn't load $500 onto 10 reloadable prepaid debit cards, then read the card numbers over the phone. The FBI, which is investigating, says no manager complied and the bombs never went off, but the scam has appeared in other parts of the country too.

Oldie but goodie One of the most popular crimes involving gift cards hasn't changed much. Thieves are still buying gift cards with stolen credit cards, says Martha Weaver, the gift card product marketing manager at Travel Tags, an Inver Grove Heights, Minn.-based company that manufactures 500 million gift cards a year. Buying a gift card allows a thief to extract money from the credit card before the cardholder notices the credit card is missing and cancels it.

"Gift cards are an anonymous account to put money on, and anything anonymous in the world of fraud is desirable," says Weaver. "It's seen as a way to launder money."

Better enforcement Fraud detection has gotten better both at card processors and among law enforcement agencies, says Dan DeFelippi, a former card thief who has consulted with the Secret Service on fraud techniques and now works as a web developer. Training has improved and there are now more links, formal and informal, between law enforcement and card processors' internal fraud detection departments.

"If they have inside contacts, it helps (law enforcement) investigate, and they'll catch more people and prevent more losses from happening," DeFelippi says.

Buyer beware You can protect yourself from gift card scams by following a few common-sense steps.

Treat gift cards like a food purchase. The same way you wouldn't eat a candy bar whose packaging is torn or battered, stay away from gift cards if the packaging appears damaged. Some card manufacturers are moving away from paper "clamshell" packaging that can be sliced open and resealed in favor of tougher, plastic packaging that can't be opened without destroying the package.
Don't give out confidential information. There's no reason for a sales clerk to ask for the number of a gift card, so if you encounter that situation, challenge the request and refuse to provide the information. The same applies for callers who request such data to "check the card's value."
Investigate online sellers. If you're buying a card at an online marketplace like eBay or Gift Card Rescue, read what previous buyers say about any seller with whom you're consider doing business. Stay away from sellers with negative reviews.
Act fast. If your gift card balance is not what you expect it to be, contact the card issuer immediately. Not only do you improve your chances of retrieving your money, you help others, since scammers generally perpetrate the same fraud on multiple victims.