The Growing Risk of Gift Card Scams

Thieves rely on an ever-growing array of social engineering methods to fleece unwitting recipients out of money. One fast-expanding tactic: business email compromise scams involving gift card purchases.

Typically, thieves trick employees into buying genuine gift cards and sending them the information needed to sell them or cash them in. They often do this by sending phishing emails in which they pose as an executive, requesting that the employee buy gift cards and send the serial numbers so the cards can be used immediately. They use a variety of phony reasons for the gift card purchases, including surprise gifts or the purchase of equipment, supplies, and even food from a restaurant for a meeting or party.[1] They often request cards from major brands such as Apple (iTunes), Google (Play), Amazon, Target and Best Buy.[2]

The trend takes advantage of the fact that most employees are already familiar with gift cards and can buy them online. Gift card sales in the U.S. topped $160 billion in 2018, and more than 93% of the public have used them, according to market-research firm Statista.[3] The average sum requested by thieves is around $1,600, according to the Anti-Phishing Working Group (APWG), but some gift card scams reach more than $10,000.[4]

Gift card scams are part of a broader rise in business email compromise phishing attacks, in which attackers typically attempt to impersonate executives or suppliers in order to deceive employees into sending them money. An FBI report noted that business email compromise attacks have been detected in 131 countries.[5] Overall, business compromise scams are estimated to have resulted in $26 billion in losses since 2016.[6]

Common Gift Card Email Fraud Techniques

Although many gift card email attacks are much less sophisticated than other types of business email compromise attempt, they may include official looking logos, requisitions or purchase orders that appear to be sent from a real department, executive or manager. They are often directed at specific employees who have the authority to make purchases or payments. If a phishing email lands in the right person’s inbox at the right time, it may not elicit suspicion. In many cases, thieves perpetrating email or phone fraud work in coordinated teams that generate leads, distribute scam emails, create aliases, and generate fake documents as needed.[7]

Thieves also continue to invent new ways to defraud companies with gift card related scams. For example, an emerging twist involves mailing recipients a malware-infected USB stick, together with letter that says the employee has received an award and that the USB device contains a digital gift card from a popular retailer.[8] Once the device is plugged in to the employee’s system, it installs a JavaScript backdoor with a keystroke logger.

How to Reduce the Risks

The good news is that gift card schemes are often relatively crude business email compromise attacks, which often makes them easier to spot and block. There are several ways you can protect yourself and your business from email spoofing and other dangers:

• Offer employee awareness training. The most important line of defense against email spoofing and business email compromise is a well-educated workforce. Notably, 90% of all breaches and breakdowns are a result of human error.[9] Employee awareness training can teach individuals to spot suspicious emails, including fake links, misspellings and unusual language or requests. It’s also important to have a way for employees to report suspicious messages or calls.
• Establish controls that minimize risk. Crooks constantly find creative ways to exploit gaps in processes and controls. Gift card schemes that rely on phishing emails or phone calls are no exception. One way to reduce the risk of fraud is to limit who can initiate purchases, create specific rules for them and provide employees with a list of executives who can request them. If a transaction exceeds a certain limit or falls outside normal purchase channels, then mandate a secondary approval and require a phone call or in-person approval.
• Deploy software that aids in protection. Advanced email security solutions can detect many phishing attacks. It important to extend protections to mobile devices, since research shows smartphone users are more susceptible to phishing than those using desktop and laptop computers.[10] Use multifactor authentication (MFA) whenever possible.

The Bottom Line

With gift card scams and other forms of business email compromise on the rise, it’s more important than ever to remain vigilant and implement controls to combat email fraud. A combination of employee awareness, policies and email security services can reduce the risk of a successful phishing attack.

[1] “BEC gift card scams switch to online stores due to pandemic,” BleepingComputer.

[2] “How Gift Card Scams Are Used to Finance Fraud,” AARP.

[3] “Projected gift card sales in the United States from 2006 to 2018,” Statista.

[4] “Phishing Activity Trends Report, 4th Quarter 2019,” APWG.org.

[5] “Business E-Mail Compromise E-Mail Account Compromise The 5 Billion Dollar Scam,” Federal Bureau of Investigation.

[6] “Gift Cards: Everyone’s Favorite Gift, Especially Criminals,” CPO magazine.

[7] “Email Scammers Ditch Wire Transfers for iTunes Gift Cards,” Wired.

[8] “Hackers sending malware infected USBs with Best Buy Gift Cards,” Hackread.com

[9] 2017 Cost of Data Breach Study,” Ponemon Institute.

[10] Ibid.