Gift card fraud seems to pick up around the holidays, but this global scam is a year-round problem. This type of fraud is favored by criminals because it’s hard to track, and less likely to be intercepted by law enforcement.
Some of the methods used during gift card scams are basic snatch-and-grab confidence ploys, where intimidation (either direct or passive) is used to extort the victim.
Business Email Compromise (BEC) / Email Account Compromise (EAC) attacks also leverage gift cards as a means to obtain payment, often resulting in money laundering.
In at least one BEC attack that I am aware of, the criminals spoofed the email of an executive, and the victim was asked to purchase gift cards for a company expense. The victim in this case had actually undertaken similar actions in the past at the request of their boss, and didn’t think twice about this latest request. At the end of the day, they were scammed out of $2,000 USD.
These types of workflow attacks are common, and clearly successful, as they play on workplace dynamics and the routine nature of a victim’s day-to-day workflow. They’re a numbers game to the criminal, as only a small percentage of conversion is needed to profit off the expense of making calls or sending hundreds of emails. So if 1,000 emails converts to 10 victims, the campaign could be considered a success in many cases. Depending on the money involved, as few as two victims would be a success.
What is a gift card scam?
Gift card scams are social engineering attacks, and often leverage an impersonation element. They can happen via social media, phishing (email or text message), or even collaboration software like Zoom, WebEx, or Microsoft Teams. Depending on the nature of the scheme, the scammer will claim to be the local police, local tax office, Internal Revenue Service (IRS), or HM Revenue & Customs (HMRC) in the UK. The scammer will then attempt to get the victim to purchase gift cards and share the codes on the back of the card in order to pay a fine, tax, or win a prize.
Sometimes, the scammer will claim to be the victim’s boss, and even go so far as to spoof company emails, and phone numbers, or compromise office email systems and inject themselves into an established email thread in order to gain attention, legitimacy, and the appearance of authority.
In the image below, sent by @JCyberSec_ on Twitter, we see examples of two different gift card scams, where the scammer poses as the victim’s boss. This is a power dynamic play, and is one of the more common tactics used.
According to the Internet Crime Complaint Center (IC3), BEC/EAC attacks historically involved “compromised vendor emails” and “fraudulent requests for large amounts of gift cards.”
“Now, fraudsters are using virtual meeting platforms to hack emails and spoof business leaders’ credentials to initiate the fraudulent wire transfers. These fraudulent wire transfers are often immediately transferred to cryptocurrency wallets and quickly dispersed, making recovery efforts more difficult.”
– IC3, 2021 Internet Crime Report
Looking at the figures I was able to dig up, impersonation scams resulted in £129.4 million in losses during the first six months of 2021 in the UK, representing a 123% increase over the year previous. Based on the figures from the IC3, BEC / EAC attacks resulted in $2.4 billion in losses, across nearly 20,000 reports of fraud. In the first nine months of 2021, nearly 40,000 people reported $148 million USD stolen using gift cards. During that timeframe, Target was the number one brand where money was reported lost due to gift card scams, followed by Google Play, Apple, eBay, and Walmart.
Side Note
In just one case, the US Department of Justice arrested two people for Walmart gift card scams. Yao Lin, 51, of Ruther Glen, Virginia, and Wen Xue Lin, 39, of Philadelphia, Pennsylvania, pled guilty on September 29, 2022, to one count of wire fraud, in a complex scheme that defrauded hundreds of people across the United States.
- A search of Wen Lin’s vehicle recovered:
- 1,298 Walmart Vanilla Mastercard and American Express gift cards (value: $229,100).
- Approximately $40,000 in unused value remained on those cards.
- The Walmart and American Express gift cards were used to purchase other cards in the amount of $287,335.34.
- A search of Yao Lin’s vehicle recovered:
- 128 Google Play, Steam and Apple gift cards (value: approx. $9,300).
- Yao Lin was connected to 1,649 different transactions using 1,271 different Walmart gift cards.
- Over 39 days, Yao Lin’s total transactional fraud reached $533,341.75.
The scams conducted on victims in order to obtain Walmart gift cards varied to include threats of arrest, finance schemes and romance scams.
Both Wen Lin and Yao Lin admitted to receiving 3% of the total funds converted from Walmart gift cards as payment for their criminal efforts.
Proactive Defense
The main thing you can do to protect yourself from these types of scams during the holiday, or year-round is to remember that no real business or government agency will insist you pay them with a gift card. This includes businesses that are offering a so-called prize or reward, or those asking that you pay fees upfront in order to obtain employment.
Watch out for random text messages, calls, or emails that focus on urgency and request gift cards. For example, if prompt payment isn’t received, something terrible will happen (e.g., arrest, foreclosure, repossession, job-related difficulties, etc. ). Often these calls will request a specific amount and type of gift card, which is another major red flag.
Related to the first point, common gift card scam tactics include impersonating government agencies, law enforcement, tech support, romantic interests, utility companies, family members experiencing emergency situations, and co-workers / management.
For each of these scenarios, slow down and think. Take a moment to consider the request, and determine if it is legitimate. Trust your gut.
In the case of co-workers and management, use an out-of-band method to verify the request, such as calling them directly, or visiting them in person at the office. Either way, don’t take any action until you can confirm the request, even if you’ve done such things in the past, and never use the contact information provided by the person making the request.
The notion that a loved one is in trouble can be jarring. However, instead of just trusting what you are told, make the person requesting help answer questions only you and your loved one would know the answers too. Such as the name of the aunt that makes the family’s worst potato salad. What did you give them for their birthday last year? Even if the scammers manage to get those answers correct (and they won’t), call your loved ones directly and verify their wellbeing. Think for a minute, why would someone in trouble need gift cards to get out of a jam?
Support
If you think you’ve been successfully targeted by a gift card scam, the links below are to common resources.
Amazon
- Call 1-888-280-4331 and follow the instructions provided.
- Keep the Amazon card itself and your receipt for the Amazon card.
- Visit the Amazon gift card scam website
eBay
- Contact customer service.
- Keep the gift card itself and the receipt.
- Read the eBay protection website for gift card scams.
- Visit the eBay gift card general information website.
iTunes
- Call the support line at 1-800-275-2273 and say “gift cards” to speak to a representative.
- Visit the iTunes gift card scam website
Google Play
- There isn’t much Google can do, but they have provided a gift card scam reporting website.
Target
- If you think you’ve been a victim of a gift card scam, Target says to call Target GiftCard Services at 1-800-544-2943
Walmart
- If you think you’ve been the victim of a gift card scam involving Walmart gift cards, report it to 1-888-537-5503
- Visit Walmart’s scam and fraud awareness page for more information.
Article images: Jeepers Media
That's all for now.
![-[30]- a.k.a. The End](https://steved3.io/images/sig.png)