Gift cards are a popular revenue stream for quick-service restaurants (QSRs), largely for the same reasons they are popular among retail businesses of all types: They bring in new customers, promote loyalty among existing customers and create additional revenues when customers exceed the value of their gift cards. Gift cards have largely gone digital with the rise of smartphones and tablets, and the eGift card market was valued at approximately $31.8 billion in 2019.
The value attached to the gift card market has made these items prime targets for fraudsters. A variety of factors have contributed to gift cards’ popularity, including their ease of theft and the simplicity of converting them into cash via online marketplaces. QSRs and retailers are looking to stop this tide of cybercrime by adopting a variety of anti-fraud measures.
The following Deep Dive examines the factors that have contributed to growth in gift card fraud, how fraudsters exploit security loopholes and how merchants can better prevent such crimes.
Why Do Fraudsters Target Gift Cards?
Fraudsters target gift cards for one of two reasons. The first and most obvious is that they want to spend the gift card at the chain they defrauded. It seems counterintuitive to return to the scene of the crime, but QSRs rarely, if ever, require detailed identity information from gift card purchases, like they would for credit cards, allowing fraudsters to make purchases easily.
The second reason fraudsters commit gift card fraud is the ease with which they can convert them into cash. Gift card marketplaces like Raise and Gift Card Granny enable recipients to exchange gift cards for cash or equivalent value for another business. These exchanges are usually anonymous, meaning cybercriminals can use stolen credit cards to buy thousands of dollars of gift cards and sell them at a discount to launder money.
How Do Fraudsters Exact Their Schemes?
Gift card fraud comes in a variety of forms. One method involves fraudsters taking gift cards off the rack and writing down their card numbers and security codes by removing the scratch-off strip on the back of the card. Fraudsters replace the security strip, put the cards back on the rack and periodically check the balance on the compromised cards. Fraudsters receive alerts when legitimate customers activate the card, which can then be laundered or used to make purchases.
Fraudsters also tend to leverage sophisticated digital means to commit fraud. Botnets comprised of thousands of hijacked personal computers and internet of things (IoT) devices can methodically test millions of gift card account numbers and cross-reference them with stolen PINs to log into online gift card accounts. One such attack occurred in 2017, when a botnet called GiftGhostBot ordered more than four million account balance requests every single hour. Once the botnet finds a live gift card, the hacker can swiftly abscond with the account balance.
Store employees are often the culprits of gift card fraud as well, using customers as voluntary or unwitting accomplices. The employee can switch customers’ gift cards with ones that do not have balances, allowing the worker to pocket and sell gift cards. Some employees may also ring up gift cards without putting money on them. This allows them to later use another register to buy an equivalent amount of gift cards using the funds from the original sale. They then go back to the first register and void the first sale, leaving them with several valid gift cards that they can then launder for cash.
No matter what form gift card fraud takes, the impacts can be quite severe. Merchants can be forced to issue chargebacks to credit card companies and banks for gift card purchases and be responsible for any additional penalties. This is on top of the costs associated with the lost inventory, sorting out the fraud and the damage irate customers have done to the brand’s reputation after finding gift card charges on their credit card statements. Potential customers are also often unwilling to patronize chains associated with the fraud.
How Can QSRs Counter Gift Card Fraud?
Solutions for tackling gift card fraud are surprisingly simple. QSRs could keep them behind the counter, rather than leaving them publicly accessible. This requires customers to ask employees before purchasing them, preventing outside attacks. Purchases could then be surveilled via cameras or a watchful store manager to prevent employee theft. QSRs can also lower the transaction limits for their gift cards, disincentivizing cybercriminals from targeting them.
Other preventative efforts rely on more sophisticated solutions, such as leveraging artificial intelligence (AI) to monitor gift card resale sites or track excessive value check requests. Device risk assessment programs can determine whether these value checks are coming from a small number of devices, indicating that hackers could be using botnets to further their schemes.
Cybercriminals will inevitably develop ways to counter gift card fraud prevention techniques as they mature and continue to defraud gift card issuers and customers. QSRs must, therefore, be proactive in their prevention methods, or the presence of fraud could irrevocably taint the lucrative gift card market.