On this page
Gift Card Fraud
Gift Card Fraud
Gift card fraud encompasses attacks where bad actors exploit ecommerce gift card programs to convert stolen payment credentials or compromised accounts into untraceable, liquid value. Gift cards are cash-equivalents — redeemable anonymously, largely irrecoverable once spent, and increasingly the terminal cash-out step in multi-stage fraud chains starting with Account Takeover or Card Testing.
Scale & Market Context
The global gift card market reached $1.29 trillion in value in 2024 (as-of 2026-03-05), with digital gift cards now representing 57% of sales and growing at 23% annually versus 4% for physical cards (CapitalOne Shopping Research, via DataDome). The scale of this market creates a correspondingly large attack surface.
2024 US consumer loss figure is contested: DataDome (citing FTC/NCSL, 2026-03-05) reports $212 million in US consumer losses from gift card and prepaid card scams in 2024. Chargebacks911 (citing The Journal-Courier, 2025-07-14) reports $250 million in consumer losses from gift card scams specifically in 2024. The gap likely reflects differing scope — gift cards only vs. gift cards + prepaid cards combined, or reported losses vs. total estimated losses. Neither source quotes the original FTC Consumer Sentinel Network Data Book directly. Both figures are directional, not precise.
Gift cards represented 11% of all criminal marketplace sales during the 2025 holiday period (November 1 through Travel Tuesday), up from 7% the prior year — a 57% relative increase (Kasada, 2025, as-of 2025). Fraud pressure on online orders to purchase gift cards rose 91% year-over-year per Signifyd network data, with March 2025 showing 125% year-over-year increase (Signifyd, 2025-04-08, as-of 2025; vendor data — mild conflict of interest).
Why Gift Cards Are a High-Value Target
Gift cards are attractive to fraudsters because they are as liquid as cash, largely anonymous, require no identity verification at redemption, and transactions are difficult to reverse (Riskified, updated 2026-04-24). Stolen gift card codes resell on black markets for up to 90% of face value (Signifyd, 2025-04-08; vendor data), making them a near-frictionless cash-out mechanism.
Practitioners in r/fraud describe a resale pipeline: stolen payment card → gift card purchase → code posted in private Telegram or Discord fraud channel → secondary actor buys the code at 60–70 cents on the dollar → merchant's chargeback arrives 60–90 days after the code has already been resold and spent (r/shopify, 55 upvotes, 2024-09).
[!note] Liquidity varies by card type. Amazon and Google Play gift cards trade at the highest discount (most liquid, near-universal redemption). Fashion/apparel retailer-specific cards trade at approximately 40 cents on the dollar because they require a buyer willing to shop at that specific store under a fake account (r/fraud, 22 upvotes, 2024-03; low corroboration — lone voice on the specific 40-cent figure).
Riskified internal data shows gift card segments are up to 7× higher in fraudulent share compared to other product segments, and chargebacks on gift cards happen approximately twice as fast as physical goods chargebacks (Riskified, updated 2026-04-24; vendor data — mild conflict of interest).
Fraud Taxonomy
Five primary gift card fraud types are documented in ecommerce (DataDome, 2026-03-05):
1. Account Takeover (ATO) — dominant upstream vector. Credential stuffing or Infostealer Malware grants access to existing accounts; fraudster purchases digital gift cards or drains existing gift card balances within the account. Practitioners in r/ecommerce characterise this as the primary mechanism: "The gift card is just the last step — the real attack is ATO via credential stuffing" (71 upvotes, 2024-03). 60% of online merchants reported a rise in ATO attempts in 2024 (Signifyd survey, 2025-04-08; as-of 2025).
2. Card-Not-Present (CNP) fraud. Stolen payment credentials used directly at checkout to purchase gift cards. Professional carding operations target gift card programs because they bypass the stricter fraud checks applied to physical goods orders — no shipping address to verify, no carrier trace (r/fraud, 34 upvotes, 2024-10).
3. Gift card cracking / enumeration. Bots systematically iterate through possible code combinations via checkout or balance-check API endpoints to identify valid, loaded card numbers. A merchant on r/shopify described bots hitting the balance-check endpoint thousands of times overnight: "No rate limiting = they guessed maybe 30 valid codes" (62 upvotes, 2024-04). Practitioners in r/cybersecurity describe the attack as structurally identical to credential stuffing — automated, distributed across residential proxies, targeting the balance-check or add-to-wallet API endpoint (41 upvotes, 2024-02).
4. Gift card refund fraud. Fraudster buys goods with a stolen payment card, returns the goods, and requests a refund in gift card form — receiving clean value in exchange for stolen-card purchases.
5. Physical tampering. Barcode copying or PIN theft on in-store rack cards before purchase. The FTC documented $1 billion in losses from cards tampered with before purchase between 2019 and 2023 (Chargebacks911 citing FTC, 2025-07-14).
Double-Loss Attack Pattern
Merchants report a compounded attack: stolen card purchases a large-denomination gift card → fraudster immediately redeems the gift card in a second order for physical goods → merchant faces two chargebacks (one on the gift card purchase, one potentially on the physical goods order). Practitioners describe this as "a double hit" (r/ecommerce, 89 upvotes, 2024-06).
Fraud Ring TTPs
Riskified data shows fraudsters are most likely to purchase between 11 and 50 gift cards at a time — a volume sweet spot that balances scale against detection (Riskified, updated 2026-04-24; vendor data). Fraud rings are documented to structure purchases just below merchant manual review thresholds, using dozens of throwaway email accounts at the same value (e.g., all orders $49.99) across a compressed time window — only detected when chargebacks arrived. Velocity detection over value-only thresholds is the cited fix (r/ecommerce, 66 upvotes, 2024-06).
Fraud pressure increases significantly around seasonal events: Riskified internal data shows a 30% average increase in gift card fraud attempts around Mother's Day in both 2023 and 2024 (Riskified, updated 2026-04-24; as-of 2024). Carding attacks rose 350% in early November 2025 ahead of Black Friday as attackers tested stolen cards (Kasada, 2025). AI-driven bots now account for nearly 60% of bot traffic and have learned to mimic mouse movements, vary browsing patterns, and complete entire checkout flows in milliseconds via direct API attacks (SureBright, unknown date; as-of unknown).
Chargeback Exposure
Gift card chargebacks are widely considered practically unwinnable by practitioners: digital delivery to a fraudster's email constitutes "delivery" under Visa/Mastercard dispute rules, and merchants cannot produce physical proof-of-delivery documentation (r/ecommerce, 78 upvotes, 2024-08).
Chargebacks unwinnable vs. occasionally fightable: Majority view in r/ecommerce (78-upvote thread, 2024-08) holds gift card chargebacks are essentially unwinnable because digital delivery cannot satisfy Visa/MC "proof of delivery" standards. A minority of commenters claim they have won gift card chargebacks by documenting IP address, device fingerprint, and redemption timestamp as evidence of use. No permalink-quality source for the winning side; not endorsed by the thread majority.
Merchants flagged under the Visa Acquirer Monitoring Programme (VAMP) for exceeding acceptable fraud/non-fraud dispute rates face additional scrutiny, fees, and potentially lose the ability to accept Visa payments — gift card chargeback volumes contribute to VAMP exposure (Signifyd, 2025-04-08).
Platform Vulnerability: Shopify
Shopify balance-check endpoint (2023-11): The following Shopify-specific detail is from a Reddit thread dated November 2023 and may no longer reflect the current Shopify platform. Shopify may have introduced rate limiting since.
Shopify's native gift card system reportedly had no built-in rate limiting on the balance-check or redemption endpoints, making them trivially scriptable for enumeration attacks. The most-cited workaround: disable the balance-check widget from the theme entirely. Removing the widget hurts legitimate customer UX; the argued fix is rate limiting at the platform level (r/shopify, 38 upvotes, 2023-11).
Third-party gift card programme providers do not eliminate fraud exposure and can introduce blind spots, as third-party portals are often seen as softer targets than a merchant's main checkout (Signifyd, 2025-04-08).
Prevention Tactics
Practitioners and vendors document the following mitigations:
Structural controls:
- Purchase caps (e.g., max $200/card, max 2/account/day): one merchant reports ~70% reduction in fraud volume; fraudsters "moved on to easier targets" (r/ecommerce, 44 upvotes, 2025-01)
- Activation delay for new accounts: a 24-hour hold on gift card activation for first-time buyers reported to "kill fraud rate almost completely" (r/ecommerce, 51 upvotes, 2024-03); depends on the stolen card being reported within the delay window
- Velocity detection over value thresholds alone — structured fraud rings deliberately stay below static value limits
Detection signals:
- Collect both sender and recipient email address at gift card purchase — distinctive data points for fraud scoring (Riskified, 2026-04-24; vendor recommendation)
- Behavioral micro-signals: typing speed, device fingerprint, timing patterns (Signifyd, 2025-04-08; vendor self-description)
- Network-scale transaction data across merchant consortia to identify cross-retailer fraud rings
Infrastructure controls:
- Rate limiting on balance-check and redemption API endpoints
- IP-based blocking is insufficient — modern fraud rings use residential proxy networks across millions of legitimate IP addresses (DataDome, 2026-03-05)
Industry coordination:
- The Gift Card Fraud Prevention Alliance (formed 2024, under the Retail Industry Leaders Association Communities Foundation) united major retailers, card networks, and law enforcement for a 2025 holiday fraud awareness campaign (ProtectMyGiftCard.com, 2025)
Regulatory & Legal Context
UK — ECCTA 2023: The Economic Crime and Corporate Transparency Act 2023, effective September 2025, creates a corporate criminal offence for failing to prevent fraud. Companies can be held liable if any associated person commits a specified fraud offence that benefits the organisation directly or indirectly (SecurityBrief UK / PwC + Forter, 2025-07-22). This increases the stakes of inadequate gift card fraud controls for UK-operating retailers.
EU — PSD3/PSR framework: The EU payments package (provisional political agreement November 2025) includes fraud prevention and transparency requirements. Formal adoption expected H1 2026 with a 21-month transition period (A&O Shearman, 2026; as-of 2026). See also Strong Customer Authentication (SCA - PSD2).
US — state laws: At least 11 US states have passed laws specifically targeting gift card fraud as of 2026-03 (DataDome citing NCSL, 2026-03-05; as-of 2026-03).
Key Terms
| Term | Meaning |
|---|---|
| Gift card cracking | Bot-driven enumeration of gift card code/PIN combinations via balance-check API endpoints |
| ATO cash-out | Using compromised account access to purchase or drain gift card balances |
| Double-loss attack | Stolen card → gift card purchase → gift card redemption for physical goods → two chargebacks |
| Activation delay | Hold period between gift card purchase and first valid redemption, used as fraud friction |
| VAMP | Visa Acquirer Monitoring Programme — merchant penalty trigger for excess chargebacks |
| Physical tampering | In-store gift card rack fraud: barcode/PIN copied before sale, balance drained after loading |
Benchmarks (as-of 2026-06-21)
| Metric | Value | Source | Date |
|---|---|---|---|
| US consumer gift card fraud losses | $212M–$250M | FTC via DataDome / Chargebacks911 | 2024 |
| Gift cards % of criminal marketplace sales (2025 holiday) | 11% | Kasada | 2025 |
| YoY fraud pressure increase on gift card orders | +91% (Mar 2025: +125%) | Signifyd | 2025 |
| Gift card fraudularity share vs other segments | Up to 7× | Riskified | 2024 |
| Fraudsters' preferred purchase volume | 11–50 cards per session | Riskified | 2024 |
| Purchase cap reduction in fraud volume (merchant-reported) | ~70% | r/ecommerce | 2025-01 |
| Physical tampering losses (FTC, 2019–2023) | $1B | FTC via Chargebacks911 | 2023 |
What Practitioners Report
Merchants on r/ecommerce and r/shopify describe gift card fraud as a structural systems gap rather than a single attack vector. Three recurring themes:
The delay between attack and detection is the core operational problem. The chargebacks arrive 60–90 days after the fraud; by then, the codes have been resold and spent. Prevention must happen at the point of purchase, not after.
Velocity and volume matter more than individual transaction value. Fraud rings structure individual transactions to evade static value thresholds. Velocity signals — same email domain pattern, purchase clustering within a 4-hour window, multiple small orders to the same device — are more reliable signals than order size alone.
Ad-hoc intelligence sharing fills institutional gaps. Merchants report spotting the same 2–3 email domains being flagged by multiple merchants in r/shopify threads — an informal cross-retailer early-warning network that formal fraud consortia have not yet replaced.
Frontier Links
- Gift Card Draining — physical in-store card tampering; needs standalone page
- Gift Card Enumeration Attacks — API-level brute-force; needs standalone page
- Residential Proxy Networks — primary evasion technique for IP-based controls
- Chargeback Representment — dispute management for card fraud
- VAMP (Visa Acquirer Monitoring Programme) — Visa penalty trigger
- Gift Card Fraud Prevention Alliance — industry coalition (RILA Communities Foundation, 2024)
- Wardrobing — related return fraud type; no standalone page yet
- Step-Up Authentication — re-auth pattern without full logout; choke point for ATO-to-gift-card