The intersection of gift card fraud and business email compromise

By Jacob Wolinsky
Updated on
Holiday Scams

Most online merchants have strategies in place to counter fraud. Tools like CVV verification, velocity checks, and geolocation help identify suspicious transactions, while fraud mitigation best practices can spot bad actors at checkout.

Fraud is a complex matter, though. It’s further complicated by the fact that some clever fraudsters have figured out methods of employing multiple tactics as part of a single, coordinated effort to defraud businesses. To illustrate, let’s examine the relationship between gift card fraud and another common fraud scheme, known as business email compromise.

BEC attacks

Business email compromise, or BEC, is like a digital form of wire fraud. With a BEC attack, the fraudster manages to takeover a credentialed individual’s email account. The criminal then impersonates that individual to manipulate other employees or consumers.

The hacker’s target is usually someone at the management level of a company. By impersonating a higher-up member of the organization, it’s easier for the hacker to manipulate other users. That said, any valid email address connected to a company could be a target. With the right access, the fraudster can work with accomplices inside or outside the company to perpetrate abuse. They may even communicate with third-parties and consumers on your behalf, resulting in potential reputational damage.

According to data published by the Federal Bureau of Investigation, law enforcement identified more than 166,000 domestic and international cases of BEC between 2016 and 2019. The total financial impact of those incidents? Roughly $26.2 billion.

Of course, that raises another question: how do fraudsters manage to take over an email account, and use that position to ultimately capture liquid cash? Well, that’s where the gift card fraud comes in.

Gift Cards are the Fraudster’s Goal

Gift cards are treated like cash; however, they are digitally-transferrable, and are completely anonymous. Gift cards are also widely popular; 55% of consumers were reportedly interested in giving or receiving digital gift cards that can be added to a mobile app or digital wallet last year. Considering their ubiquity and ease of use, it’s little surprise so many fraudsters see gift cards as an opportunity.

One well-known tactic fraudsters use is to impersonate a government official, like someone from the IRS. The fraudster convinces a victim that she owes a debt, and that the debt can be paid in gift cards. It might sound outlandish at first, but fraudsters used this method to bilk US consumers for $53 million in the first nine months of 2018; a 270% increase compared to three years earlier.

The intersection of gift card fraud and business email compromise isn’t limited to tax scams, though. Creative scammers employ a variety of attack methods. Now, with the holiday shopping season ramping up, gift card scams are likely to reach their peak.

Scammers can either use the gift cards, or they can resell them to consumers, turning them into real, liquid cash. Historically, Apple iTunes gift cards and Amazon gift cards were the most common targets—both extremely-popular options with consumers—suggesting that resale is the primary objective. Thus, it’s no surprise that scoring a gift card is the objective behind two-thirds of all business email compromise attacks.

BEC-Enabled Gift Card Fraud Hurts Merchants & Consumers

After gift card scams like the one outlined above, consumers may be tempted to file chargebacks to recover their money. While criminal fraud did occur, the buyer wouldn’t really be entitled to a chargeback in this case; the user authorized the sale, so any chargeback filed would fall within the purview of friendly fraud.

The scheme hurts both consumers and merchants. Cardholders will have to undergo the stress of recovering from the scam, while sellers may lose revenue and see other added fees due to chargebacks. Plus, if the problem gets out of hand, consumers could lose long-term confidence in digital gift cards entirely.

Merchants should look at this problem from two distinct angles. First, there’s the need to secure one’s email accounts, to prevent hackers from carrying out a successful BEC attack. This can be accomplished by:

  • Keeping Current with PCI Compliance Standards: PCI regulations can be complicated, but there are key basics to keep in mind; for instance, requiring employees to lock all devices when away from their desks.
  • Educating Employees: Merchants should ensure that all employees are up-to-date on current best practices to mitigate risk. This includes educating them about developing threats and warning signs, so they know what do look for.
  • Monitoring Network Traffic: Any activity from unfamiliar devices or suspicious IP addresses requesting authentication should immediately raise red flags. It’s best to block these requests until they can be verified in more detail.
  • Use Multifactor Authentication: Passwords, PIN codes, biometrics…there are lots of methods now available to verify users. Employing multiple authentication requirements will make it much harder for fraudsters to take over accounts.

Of course, preventing business email compromise incidents is only part of the battle. Merchants should also be prepared to contend with fraudulent gift card purchases.

Weed-Out Suspicious Gift Card Fraud Purchases

Manually-reviewing suspicious transactions is extremely important here. A new buyer purchasing a high-dollar value gift card, for example, should be seen as highly-suspicious; an automated fraud detection tool may not pick up on this, though. Before finalizing, it’s wise to subject these transactions to careful manual review to try and spot other signs of fraud. Yes, it is time-consuming, but manual reviews allow merchants a level of insight and rational decisioning that automated technologies can’t offer.

Even with the insight afforded by the manual review process, though, it’s still a tense calculation. After all, merchants don’t want their gift cards used as part of a fraud scheme…nor do they want to decline legitimate customers looking to spend hundreds of dollars on gift cards. The risks associated with not performing that due diligence, though, are even greater. One possible solution is to ask customers to conduct their own due diligence.

On the IRS website, they list several practices that the organization will never ask of consumers. It’s not a bad idea to ask customers to verify these statements as part of your own checkout process. There’s no guarantee it will stop fraud…however, it could help protect some customers, while adding no significant friction to the process.

The key is to think about this as a multifaceted problem. Merchants must view BEC and gift card fraud in isolation, as well as a unified threat. This will make it easier in the long run to separate legitimate activity from chargebacks just waiting to happen.

Get The Full Warren Buffett Series in PDF

Get the entire 10-part series on Warren Buffett in PDF. Save it to your desktop, read it on your tablet, or email to your colleagues

Warren Buffett eBook

Q3 2019 hedge fund letters, conferences and more

Article by Chargebacks911 co-founder and COO Monica Eaton-Cardone

Related Articles

OpenAI Soap Opera

The OpenAI Soap Opera — and the One Stock to Benefit from the Turmoil

A logo of xAI's chatbot Grok on a black background.

Elon Musk Launches AI Chatbot “Grok,” Claims It’s Better Than ChatGPT

Meta Platforms Stock Meta Platforms Mega-Lawsuit

Meta Platforms Mega-Lawsuit: Are All Social Media Companies in Trouble?

Xsolla Announces Acquisition of AcceleratXR, A Multi-Player Platform For Games

Leave a Comment