Skip to content ↓ | Skip to navigation ↓

Gift cards have caused quite a headache for retailers in the last month, exposing another way that fraudulent activity can eat into razor-thin profit margins. Gift card fraud can range from physical theft to cloning to exploiting programming errors on the merchant side.

The methods of attack are very similar to what is seen with credit card fraud, but gift card fraud is less widely reported in the news. The reason is that, unlike data breaches that involve credit cards, personally identifiable information (PII) is rarely disclosed. Regardless, it is important for both merchants and customers to know how gift card fraud occurs, so they can recognize the behavior and protect themselves.

On June 1st, Australian retailer Woolworth’s experienced a data breach that led to AUS $1.3 million worth of gift card numbers being leaked online. Several weeks prior, Starbucks had two high-profile gift card incidents – one involved a security researcher that discovered a race condition that allowed him to transfer card balances between cards without deducting any value, and the other involved the auto-load feature on cards that allowed fraudsters to quickly drain attached bank accounts. According to reporting by Brian Krebs, Starbucks itself was not hacked – the customers were.

The article goes on to explain that customers often use the same username/password combination across multiple sites and when a website is hacked, cyber criminals will often take the password dumps and try them on multiple sites. This is what most likely happened to the Starbucks customers; it’s very inconvenient and costly to the victim but avoidable, if good password habits are used.

There are many ways to commit fraud using gift cards and they are very alluring, for many reasons. First, and foremost, there’s a low chance of being prosecuted. The dollar amounts on each individual transaction are relatively small and not enough to garner the attention of large law enforcement agencies that have the ability to catch the perpetrators. Second, it’s very easy to commit fraud. Lastly, it’s easy to convert gift card value into money or merchandise.

How is gift card fraud commonly committed? There are three primary categories of fraud:

Hacking accounts

As described earlier with the Starbucks story, thieves can hack into gift card accounts and quickly drain them of money. If the auto-load feature is turned on, within seconds, a cybercriminal can quickly rack up charges and start the process of moving money off the compromised gift card account.

Another common route is using gift cards to quickly monetize the value in other hacked accounts, such as credit card rewards programs or hotel points.

This is how it works:

  • A cybercriminal will obtain the username and password to a person’s credit card rewards program, usually through reused credentials or malware.
  • They will log in and check the value of the account. For example, let’s say it’s $5,000.
  • Credit card redemption programs offer many different items they can redeem in exchange for points. Several problems exist for the fraudster. They can’t exactly redeem for golf clubs – where would they ship them? Cash back is either redeemed as statement credit or sent as a check to the cardholder – also no good. Gift cards, however, are a perfect way to quickly monetize the hack.
  • The redeemer instantly gets an e-gift card number that can be spent immediately, meaning the fraudster can exchange $5,000 worth of points for $5,000 worth of value on an e-gift card. The site will give the fraudster a gift card number on the spot, which can be printed out and used in-store or online.
  • The fraudster will then use a service that converts gift cards into cash, such as or One can usually get 60% of the face value of typical gift cards on sites like this. There are also physical kiosks in malls that offer the same service.
  • The fraudster can now effectively convert a point or rewards on a hacked account into real cash.

Stealing numbers and cloning cards

Another very common method of gift card fraud is committed is through stealing numbers off physical gift cards. Gift cards work essentially the same as credit cards with a mag stripe—the gift card number is printed on the card for manual key entry and is also encoded on a mag stripe on the back of the card.

The mag stripe number is plain text and can be read with a mag stripe reader purchased for $15 from eBay or an electronics store. Gift cards may or may not have an additional level of security, a PIN number covered with a coating, similar to a lottery ticket, that needs to be scratched off.

gift card fraud (1)
Mag stripe reader from an Ebay auction; June 20, 2015

Some merchants, such as Starbucks, do not require the customer to enter in a PIN number when using the card. The customer simply swipes the card and they’re good to go. Other merchants do use PIN numbers, which offers an additional layer of protection – the redeemer needs to have the physical card in possession in order to use it.

Gift cards are not usable until they are activated at the cash register. In many stores, gift cards are sitting out in an accessible place. People have been known to steal a stack of cards, bring them home, write down the numbers (or script it out using a mag stripe reader) and then sneak them back into the store and place them on the shelf.

Brazen criminals can write down or take pictures of the numbers down right in the store. From there, it’s a waiting game. Most merchants offer a way to check gift card balances online – the fraudsters will repeatedly check balances on the merchant’s website and wait until they are activated by a legitimate purchase. When they are, transferring balances to another card or converting into cash by using a third-party redeemer drains the balances out.

There are no reported incidents of POS skimmers used to grab gift card numbers, but this attack would work as well.

The addition of a PIN number can delay a fraudster, but not deter them entirely. They can scratch off the coating, revealing the PIN and replace it with a new sticker easily purchased from eBay.

gift card fraud (2)
Scratch-off stickers for sale on Ebay; June 20, 2015

This type of fraud is fairly low-level and does not result in a huge loss to the merchant, but is quite a shock to the customer when the recipient of a gift card tries to redeem it and finds that the balance is zero. Some retailers will reimburse the customer with the face value of the gift card, but this ends up being a reputational hit for the retailer, as well as a headache for the consumer.

Acquiring numbers in bulk

Slightly more difficult, but much more rewarding, is to acquire gift card numbers in bulk from the issuers, merchant, reward redemption program, etc. This can be done through a multitude of methods, including phishing, SQL injection, social engineering and accidental disclosure.

Accidental disclosure is exactly what happened at Woolworth’s, where an employee at the company had a spreadsheet with 8,000 gift card numbers, totaling AUS $1.3 million. The employee accidentally sent the email to more than 1,000 people. Anyone who received the email could immediately go shopping or start to convert the gift card numbers into cash.

Advice for retailers

In-store security is important. Store gift cards behind the counter or locked in a cabinet. It’s not advisable to leave them out in an area that is publicly accessible because of the high probability someone will perpetrate one of the scams described above.

It’s even more important to have good policies and procedures in place for the central handling of gift cards numbers. First, require a PIN for the use of a gift card. Next, on a corporate policy level, never store the gift card PINs with the gift card numbers – keep the two separate. Last, limit online balance look-ups to several per hour, maximum.

Advice for customers

The best advice for customers buying gift cards is to only buy gift cards from reputable merchants. Always look at the physical card and look for signs of tampering, such as a scratched off and/or replaced PIN number. Most importantly – keep your receipt. If you get the card home and find it drained of funds, you may be able to recoup your losses by going to the merchant that sold the card or the store where the gift card is redeemable.

Gift card fraud is pretty unsexy when compared with the latest nation-state threat actors exploiting multiple 0-day vulnerabilities, but it is a significant problem that drains money from retailers and consumers alike. By being aware of how this fraud is committed, we can spot the scams and protect ourselves.


See how solutions like Tripwire equipped the Walgreens-Boots Alliance to continuously monitor and protect the business, while ensuring systems are reliable and secure.



tony martin-vegueAbout the Author: Tony Martin-Vegue is a 20-year Information Security veteran with expertise in network operations, cryptography and risk management. He’s worked for large global organizations, leading cyber-crime programs, enterprise risk management and security programs. He is a blogger and host of The Standard Deviant Security Podcast, a podcast that, with candor and cleverness, holds up a mirror to industry truths.Tony holds a Bachelor of Science in Business Economics from the University of San Francisco and has many certifications such as CISSP, CISM and CEH. He can be found on the web at and on Twitter @tdmv.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Title image courtesy of ShutterStock

10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • Katie C.

    Another common gift card fraud is for criminals to buy gift cards with stolen/fraudulent credit cards and then either resell them at a discount on a gift card site, or use them immediately. It generally takes a few days for the credit card fraud to be detected and by then, the card may have been passed on to a third party (who then has a useless gift card that has been cancelled by the retailer) or they've used up the gift card at a nice restaurant or expensive merchant.

    Buyers should beware – why is someone selling a gift card at 15% off or 20% off? Who would buy a gift card and then sell it such a steep discount? Someone who is laundering money or who bought the card with a fraudulent credit card – that's who.

    • joepettit

      Interesting! Thanks for sharing.

    • Karen

      So if that happens and the Gift card is already spent does the Gift card company lose out or the company where the gift card was spent?

  • Toastie

    Or someone who bought it for 40% off from someone who didn't want it and sells it for 20% off to make a profit. Flipping to earn money. Buy low, sell high, not exactly a shady practice. 99% of gift card transactions are done by honest people with motives that are really none of your business. You assume criminal activity must be occurring, perhaps because you live comfortably and would never have to stoop so low as to engage in such seemingly petty activities.

  • betso

    Tony, Thank you for this! I'm a UX architect designing interactions for an online retailer. I'm getting some background on whom I need to protect my client against and how they get in. Can you clarify one thing? When you say "They will log in and check the value of the account" do you mean a human logs in and actually looks at each account (and I need to design for a human), or do you mean a hacker writes a script to automate logging into as many accounts as possible and checking the value (so only threat protection technology will help)?

  • Anonymous

    I'm a gift card "specialist" you people still don't know how we do it nice try. You'll never know our ways. We have methods about to be implanted. Thank you all for your concern and continued gift card purchases for it keeps putting food on the table and drugs in our pipes

  • Nikhil M

    I just found out that my Target Gift Card (that I had been saving up to use for 2 years) was used at a store. I’m guessing Target will soon come out with an announcement that their GiftCards were leaked. This is horrible. I called customer service and they kept transferring me over and over again without any help. I wonder if anyone will get back to me on this.

    • Ashwani Gupta

      I had my $300 target gift stolen too. I had it added to my account. Today there was $0 balance on it. I called the gift card department and reported it stolen. I was told that it was used in a physical store about 350 miles from where I live. The problem with target giftcards is that the gift card codes and bar codes can be accessed via mobile app. I am suspecting someone hacked into my account using a mobile app and got access to gift cards there. Just wondering if you have received a replacement card from target?

      • syed

        were you able to get your money back or what happen

      • syed

        please email me i got scammed today and i need my money back what do i do email me

        • billyshane

          [edited: read this wrong]

  • nchau

    Back in Nov 2015, I had bought a $100 gift card for a friend baby shower at Target in Irvine. There was nothing wrong with the card. Everything was still in-tact, no tampering whatsoever. My friend then went to the Target store and try pay with the Target gc I bought for her and the clerk told her it’s has zero balance. I’ve spent almost 2 hours talking to different customer support from Target gc, and they told me that someone has converted the gift card into a mobile gc. Therefore they cannot replace the gc for me since it’s has zero balance. Obviously there is some type of fraud going on here. If a person were to steal the gc, they will definitely spend it all so how can there be any balance left. I even gave them my friend mobile number to the representative. After verifying the system, the target rep told me the number that the gc was converted was not the same number as this one. I already know it’s not going to be since my friend has no idea how to convert the gc into a mobile gc. What frustrated me the most was there was some type of fraud and Target is not willing to take any responsibility for it. How can I trust buying any gc from the store when there is absolutely zero balance? You would think a store as big as Target would help consumer like us. Instead they just told me to file a police report about the gc and that was it. Luckily I was able to call my Chase credit card. I explained to them the situation and they are willing to credit back $100 to my account. From now on, I would be hesitant to buy any gc from Target even if it’s at the store.

  • Ralphie

    That’s why use a credit card when buying a gift card. I can dispute the charge if the merchant does not honor the gift card.

  • James Johnson

    This makes me think of myself. No one should ever accept and deceit in the name of love. About 5 years ago my wife started

    acting strange and I became supiscious, a friend of mine referred me to this guy. He helped me

    hack my wife and I got to find out that she had another family in Africa apparently. I was deceived for that long I would

    not like to see anyone go through such.

  • Betty White

    Hey I recommend this video that covers off on some additional areas needing protecting as well as some insightful information about past scams and internet malware. See :

    Giftcard Scams, Trojans, Botnets, Credit card fraud – How to Protect Yourself
    As an old timer I can’t tell you how helpful I found this information to be, it even stopped me from being a victim of a credit card scam my own grandson tried to pull on me.

  • William Monroe

    How do I get my money back if someone cashed my cards

  • Allah Akbar

    The Employee of AppleBees most probably switched out the cards, in my opinion.

  • Johnna Smith

    I was given a card as going away gift at a
    job I worked for 18 years last week. I found it was a generous amount
    of $210.00 (the amount was written on the front of the package because
    it can be loaded for $20-500). tonight about 6 days later, I removed it
    from the packaging, and I didn’t notice any signs of tampering. the
    sticker on the front of the card did say it was active & ready for
    use. I found that statment odd because I’ve always had to activate the
    ones I’ve been given in the past. so I went to the website, I wasn’t
    able to log in because it said the card number & security number do
    not match. I called the 866 number tried entering the same info, no
    luck. I get a person on the phone & she tells me she doesn’t find
    any info on the card number. she can’t tell me if it was ever loaded or
    reported stolen or ever had a balance. she kept telling me to read the
    terms and conditions. I read every page plus the FAQ on the site, and
    no where does it address this situation or how to go about fixing it. I
    feel terrible thinking about my coworkers all chipping in to get me
    this card–and frankly I need all the help I can get until I have income
    coming in again–but I’m not sure what happened to their $210 or why
    they cannot give me any info whatsoever regarding their card number they
    manufactured & sold. the website is
    & it has the VISA logo. I recognize the packaging, and I am
    fairly sure I’ve received or given this brand’s card in the past. I
    don’t know what to do. I feel embarrassed contacting my past employer
    asking about it. how awkward that would be. any advice?

  • Ravikiran

    I don’t take the old gift cards amount

  • Kim Hadden

    My brother gave me a Target gift card for my birthday. He didn’t write an amount on the back so I called the number on the back of the card, got the balance ($50.00) and put the card in my wallet.
    Two days later, I did a little shopping online, got my gift card out, proceeded to complete my purchase and discovered my gift card balance was now $0.00.
    I called Target and was asked if I photographed my card with the access number visible and posted it online. Um…No, I wanted to use the card, why would I do that? Why would anyone do that? I was asked if I tried to sell the card. Again….I wanted to USE the card….
    I was told I may or may not get a new card. The card number was used in Brookhurst, CA. I live in Dade City, FL (was visiting family in Orlando, FL when I received the card).
    Don’t understand how someone got my card access number when I’m the one that pulled the strip off the back so I could enter the number into the target system to find out the amount.
    Also don’t understand why it’s my fault. And why I’m out $50.00 because their are assholes out there that would rather steal from people than get a job.

    • omshhaol

      I feel your pain… As I had a £200 (~=$278) Amazon Gift card that I had given to my nephew for his birthday, only to have it get redeemed by a fraudster before my nephew was able to redeem it into his Amazon account. Amazon says they are sorry but nothing they can do even though by virtue of it being another Amazon account that it was redeemed into, they know who redeemed it, they have his/her email, shipping/billing addresses… etc!

      And I don’t think that anyone suggested it was your fault. Think about it though, who would you suggest should be out the $50??

      There are 3 parties to this transaction (actually, four if you count the thief. But since he/she isn’t likely to get caught and be held responsible that leaves you with three). Your brother, the retailer, and you.
      1) You brother, paid for a $50 card and was given a gift card for equal value. So he cannot complain.
      2) The store received $50 and gave back in a gift card for the same value. So why should they be out? They met their end of the deal
      3) You, on the other hand, had access to the $50 that you owned at the time you called the number on the back of the card and were told the balance was $50.

      Its like having $50 in cash in your wallet and if it somehow falls out, no one is going to volunteer to give you a $50 bill to replace it! Alternatively, if you can somehow prove that the store was careless in the way they managed their blank cards, or that they knew or should have known that the PIN code for the card you received was compromised but they still sold it for value, you may have a case against them!

    • Think_Click_Write

      They are directly accessing the database of activated cards. No need for a physical card, receipt, or even intercepting your own online activity.

  • Paul (not fool)

    I recently applied for a personal loan quickly I started getting calls from these guys telling me I had been approved for amounts I didn’t even apply for in the end I was told to get a I-Tunes balance verification voucher for 1 or 2 hundered dollars, once I gave them the numbers the loan amount plus the 200.00 would be in my account, yeah right

  • Wide Awakening

    Yep bought a Visa gift card two days ago and I hadn’t even gotten it registered yet and the entire $500 balance was wiped out at 2:30am this morning at Sam’s Club – someone bought a TV!!! Now I have to wait for the fraud investigation to conclude which can take up to 90 days. So unfair that my money is tied up and there’s nothing I can do but wait.

  • Reggi Thomas

    I bought a Target gift card and it was wiped out the next day. Target says they investigated but has declined to replace the money six days later. I think this is unfair since Target has access codes on the card and cameras in the store. They tell me there is not recourse or further investigation.

<!-- -->