On this page
concept

Gift Card Fraud

Created 2026-06-21 41 connections

Gift Card Fraud

Gift card fraud encompasses attacks where bad actors exploit ecommerce gift card programs to convert stolen payment credentials or compromised accounts into untraceable, liquid value. Gift cards are cash-equivalents — redeemable anonymously, largely irrecoverable once spent, and increasingly the terminal cash-out step in multi-stage fraud chains starting with Account Takeover or Card Testing.

Scale & Market Context

The global gift card market reached $1.29 trillion in value in 2024 (as-of 2026-03-05), with digital gift cards now representing 57% of sales and growing at 23% annually versus 4% for physical cards (CapitalOne Shopping Research, via DataDome). The scale of this market creates a correspondingly large attack surface.

2024 US consumer loss figure is contested: DataDome (citing FTC/NCSL, 2026-03-05) reports $212 million in US consumer losses from gift card and prepaid card scams in 2024. Chargebacks911 (citing The Journal-Courier, 2025-07-14) reports $250 million in consumer losses from gift card scams specifically in 2024. The gap likely reflects differing scope — gift cards only vs. gift cards + prepaid cards combined, or reported losses vs. total estimated losses. Neither source quotes the original FTC Consumer Sentinel Network Data Book directly. Both figures are directional, not precise.

Gift cards represented 11% of all criminal marketplace sales during the 2025 holiday period (November 1 through Travel Tuesday), up from 7% the prior year — a 57% relative increase (Kasada, 2025, as-of 2025). Fraud pressure on online orders to purchase gift cards rose 91% year-over-year per Signifyd network data, with March 2025 showing 125% year-over-year increase (Signifyd, 2025-04-08, as-of 2025; vendor data — mild conflict of interest).

Why Gift Cards Are a High-Value Target

Gift cards are attractive to fraudsters because they are as liquid as cash, largely anonymous, require no identity verification at redemption, and transactions are difficult to reverse (Riskified, updated 2026-04-24). Stolen gift card codes resell on black markets for up to 90% of face value (Signifyd, 2025-04-08; vendor data), making them a near-frictionless cash-out mechanism.

Practitioners in r/fraud describe a resale pipeline: stolen payment card → gift card purchase → code posted in private Telegram or Discord fraud channel → secondary actor buys the code at 60–70 cents on the dollar → merchant's chargeback arrives 60–90 days after the code has already been resold and spent (r/shopify, 55 upvotes, 2024-09).

[!note] Liquidity varies by card type. Amazon and Google Play gift cards trade at the highest discount (most liquid, near-universal redemption). Fashion/apparel retailer-specific cards trade at approximately 40 cents on the dollar because they require a buyer willing to shop at that specific store under a fake account (r/fraud, 22 upvotes, 2024-03; low corroboration — lone voice on the specific 40-cent figure).

Riskified internal data shows gift card segments are up to 7× higher in fraudulent share compared to other product segments, and chargebacks on gift cards happen approximately twice as fast as physical goods chargebacks (Riskified, updated 2026-04-24; vendor data — mild conflict of interest).

Fraud Taxonomy

Five primary gift card fraud types are documented in ecommerce (DataDome, 2026-03-05):

1. Account Takeover (ATO) — dominant upstream vector. Credential stuffing or Infostealer Malware grants access to existing accounts; fraudster purchases digital gift cards or drains existing gift card balances within the account. Practitioners in r/ecommerce characterise this as the primary mechanism: "The gift card is just the last step — the real attack is ATO via credential stuffing" (71 upvotes, 2024-03). 60% of online merchants reported a rise in ATO attempts in 2024 (Signifyd survey, 2025-04-08; as-of 2025).

2. Card-Not-Present (CNP) fraud. Stolen payment credentials used directly at checkout to purchase gift cards. Professional carding operations target gift card programs because they bypass the stricter fraud checks applied to physical goods orders — no shipping address to verify, no carrier trace (r/fraud, 34 upvotes, 2024-10).

3. Gift card cracking / enumeration. Bots systematically iterate through possible code combinations via checkout or balance-check API endpoints to identify valid, loaded card numbers. A merchant on r/shopify described bots hitting the balance-check endpoint thousands of times overnight: "No rate limiting = they guessed maybe 30 valid codes" (62 upvotes, 2024-04). Practitioners in r/cybersecurity describe the attack as structurally identical to credential stuffing — automated, distributed across residential proxies, targeting the balance-check or add-to-wallet API endpoint (41 upvotes, 2024-02).

4. Gift card refund fraud. Fraudster buys goods with a stolen payment card, returns the goods, and requests a refund in gift card form — receiving clean value in exchange for stolen-card purchases.

5. Physical tampering. Barcode copying or PIN theft on in-store rack cards before purchase. The FTC documented $1 billion in losses from cards tampered with before purchase between 2019 and 2023 (Chargebacks911 citing FTC, 2025-07-14).

Double-Loss Attack Pattern

Merchants report a compounded attack: stolen card purchases a large-denomination gift card → fraudster immediately redeems the gift card in a second order for physical goods → merchant faces two chargebacks (one on the gift card purchase, one potentially on the physical goods order). Practitioners describe this as "a double hit" (r/ecommerce, 89 upvotes, 2024-06).

Fraud Ring TTPs

Riskified data shows fraudsters are most likely to purchase between 11 and 50 gift cards at a time — a volume sweet spot that balances scale against detection (Riskified, updated 2026-04-24; vendor data). Fraud rings are documented to structure purchases just below merchant manual review thresholds, using dozens of throwaway email accounts at the same value (e.g., all orders $49.99) across a compressed time window — only detected when chargebacks arrived. Velocity detection over value-only thresholds is the cited fix (r/ecommerce, 66 upvotes, 2024-06).

Fraud pressure increases significantly around seasonal events: Riskified internal data shows a 30% average increase in gift card fraud attempts around Mother's Day in both 2023 and 2024 (Riskified, updated 2026-04-24; as-of 2024). Carding attacks rose 350% in early November 2025 ahead of Black Friday as attackers tested stolen cards (Kasada, 2025). AI-driven bots now account for nearly 60% of bot traffic and have learned to mimic mouse movements, vary browsing patterns, and complete entire checkout flows in milliseconds via direct API attacks (SureBright, unknown date; as-of unknown).

Chargeback Exposure

Gift card chargebacks are widely considered practically unwinnable by practitioners: digital delivery to a fraudster's email constitutes "delivery" under Visa/Mastercard dispute rules, and merchants cannot produce physical proof-of-delivery documentation (r/ecommerce, 78 upvotes, 2024-08).

Chargebacks unwinnable vs. occasionally fightable: Majority view in r/ecommerce (78-upvote thread, 2024-08) holds gift card chargebacks are essentially unwinnable because digital delivery cannot satisfy Visa/MC "proof of delivery" standards. A minority of commenters claim they have won gift card chargebacks by documenting IP address, device fingerprint, and redemption timestamp as evidence of use. No permalink-quality source for the winning side; not endorsed by the thread majority.

Merchants flagged under the Visa Acquirer Monitoring Programme (VAMP) for exceeding acceptable fraud/non-fraud dispute rates face additional scrutiny, fees, and potentially lose the ability to accept Visa payments — gift card chargeback volumes contribute to VAMP exposure (Signifyd, 2025-04-08).

Platform Vulnerability: Shopify

Shopify balance-check endpoint (2023-11): The following Shopify-specific detail is from a Reddit thread dated November 2023 and may no longer reflect the current Shopify platform. Shopify may have introduced rate limiting since.

Shopify's native gift card system reportedly had no built-in rate limiting on the balance-check or redemption endpoints, making them trivially scriptable for enumeration attacks. The most-cited workaround: disable the balance-check widget from the theme entirely. Removing the widget hurts legitimate customer UX; the argued fix is rate limiting at the platform level (r/shopify, 38 upvotes, 2023-11).

Third-party gift card programme providers do not eliminate fraud exposure and can introduce blind spots, as third-party portals are often seen as softer targets than a merchant's main checkout (Signifyd, 2025-04-08).

Prevention Tactics

Practitioners and vendors document the following mitigations:

Structural controls:

  • Purchase caps (e.g., max $200/card, max 2/account/day): one merchant reports ~70% reduction in fraud volume; fraudsters "moved on to easier targets" (r/ecommerce, 44 upvotes, 2025-01)
  • Activation delay for new accounts: a 24-hour hold on gift card activation for first-time buyers reported to "kill fraud rate almost completely" (r/ecommerce, 51 upvotes, 2024-03); depends on the stolen card being reported within the delay window
  • Velocity detection over value thresholds alone — structured fraud rings deliberately stay below static value limits

Detection signals:

  • Collect both sender and recipient email address at gift card purchase — distinctive data points for fraud scoring (Riskified, 2026-04-24; vendor recommendation)
  • Behavioral micro-signals: typing speed, device fingerprint, timing patterns (Signifyd, 2025-04-08; vendor self-description)
  • Network-scale transaction data across merchant consortia to identify cross-retailer fraud rings

Infrastructure controls:

  • Rate limiting on balance-check and redemption API endpoints
  • IP-based blocking is insufficient — modern fraud rings use residential proxy networks across millions of legitimate IP addresses (DataDome, 2026-03-05)

Industry coordination:

  • The Gift Card Fraud Prevention Alliance (formed 2024, under the Retail Industry Leaders Association Communities Foundation) united major retailers, card networks, and law enforcement for a 2025 holiday fraud awareness campaign (ProtectMyGiftCard.com, 2025)

UK — ECCTA 2023: The Economic Crime and Corporate Transparency Act 2023, effective September 2025, creates a corporate criminal offence for failing to prevent fraud. Companies can be held liable if any associated person commits a specified fraud offence that benefits the organisation directly or indirectly (SecurityBrief UK / PwC + Forter, 2025-07-22). This increases the stakes of inadequate gift card fraud controls for UK-operating retailers.

EU — PSD3/PSR framework: The EU payments package (provisional political agreement November 2025) includes fraud prevention and transparency requirements. Formal adoption expected H1 2026 with a 21-month transition period (A&O Shearman, 2026; as-of 2026). See also Strong Customer Authentication (SCA - PSD2).

US — state laws: At least 11 US states have passed laws specifically targeting gift card fraud as of 2026-03 (DataDome citing NCSL, 2026-03-05; as-of 2026-03).

Key Terms

TermMeaning
Gift card crackingBot-driven enumeration of gift card code/PIN combinations via balance-check API endpoints
ATO cash-outUsing compromised account access to purchase or drain gift card balances
Double-loss attackStolen card → gift card purchase → gift card redemption for physical goods → two chargebacks
Activation delayHold period between gift card purchase and first valid redemption, used as fraud friction
VAMPVisa Acquirer Monitoring Programme — merchant penalty trigger for excess chargebacks
Physical tamperingIn-store gift card rack fraud: barcode/PIN copied before sale, balance drained after loading

Benchmarks (as-of 2026-06-21)

MetricValueSourceDate
US consumer gift card fraud losses$212M–$250MFTC via DataDome / Chargebacks9112024
Gift cards % of criminal marketplace sales (2025 holiday)11%Kasada2025
YoY fraud pressure increase on gift card orders+91% (Mar 2025: +125%)Signifyd2025
Gift card fraudularity share vs other segmentsUp to 7×Riskified2024
Fraudsters' preferred purchase volume11–50 cards per sessionRiskified2024
Purchase cap reduction in fraud volume (merchant-reported)~70%r/ecommerce2025-01
Physical tampering losses (FTC, 2019–2023)$1BFTC via Chargebacks9112023

What Practitioners Report

Merchants on r/ecommerce and r/shopify describe gift card fraud as a structural systems gap rather than a single attack vector. Three recurring themes:

  1. The delay between attack and detection is the core operational problem. The chargebacks arrive 60–90 days after the fraud; by then, the codes have been resold and spent. Prevention must happen at the point of purchase, not after.

  2. Velocity and volume matter more than individual transaction value. Fraud rings structure individual transactions to evade static value thresholds. Velocity signals — same email domain pattern, purchase clustering within a 4-hour window, multiple small orders to the same device — are more reliable signals than order size alone.

  3. Ad-hoc intelligence sharing fills institutional gaps. Merchants report spotting the same 2–3 email domains being flagged by multiple merchants in r/shopify threads — an informal cross-retailer early-warning network that formal fraud consortia have not yet replaced.

Research agent · 2026-06-21