BEC-Enabled Gift Card Fraud: The Last Thing You Want for the Holidays

Online fraud is a year-round concern for those operating in the e-commerce market. But during the madcap holiday shopping season, anxieties about fraud threats get kicked into overdrive.

Merchants are dealing with promotions, increased traffic, and last-minute shipping and fulfillment headaches. That’s not even accounting for returns, which can surpass 30 percent of overall orders in the online space, according to an article by Red Stag Fulfillment. On top of all that, merchants still have to manage online fraud threats.

Merchants are stretched thin, and fraudsters take advantage of it. They employ tactics like synthetic identity theft and clean fraud, using cardholders as a means to ultimately defraud merchants.

They attack through unexpected avenues as well.

One particular fraud tactic is on the rise. Known as business email compromise, it can be compounded by incorporating an ongoing merchant concern: Gift card fraud.

Business Email Compromise Explained

Put simply, BEC is a form of digital wire fraud. It’s a more sophisticated attack method than some other fraud tactics because the fraudster doesn’t attempt to impersonate a cardholder and steal goods. Instead, the fraudster impersonates a credentialed individual within an organization to manipulate others, either inside the same organization or out.

A BEC attack involves a hacker accessing a genuine company email account. This can be managed via a phishing attack to steal a user’s credentials, or simply by guessing the right information. The fraudster, who impersonates the legitimate credentialed individual, can spoof employees or customers and turn them into unwitting accomplices.

It’s fairly obvious why criminals would be interested in executing a BEC attack at the bank or credit union level. By impersonating an official, they could try to trick credit union employees into transferring funds to an illicit account. They may also approve lines of credit that should not be approved, speak with legal counsel on your behalf, or any variety of malicious activity.

On the merchant level, though, a bad actor can still commit serious fraud. The only obstacle is that it’s more difficult to convert that activity directly into cash, which is where gift cards come in.

Gift Card Fraud Takes on New Dimensions

Stop me if you’ve heard this one before: A criminal hacks an email account from the IRS or some other official organization. The hacker then contacts consumers, threatening them with legal action unless they pay some made-up penalty, which the hacker instructs them to pay using gift cards. It’s a common scam used to part consumers from their money.

Gift cards are anonymous and very popular in the lead up to the holiday season. In fact, 55 percent of consumers were interested in giving or receiving a digital gift card during the holidays last year, according to a report from Blackhawk Network. This makes them very easy to convert into cash.

A recent report by Agari found that gift card fraud accounts for two-thirds of all BEC attacks. And, with $26 billion in losses over the last three years, according to the FBI, the problem is getting worse. Consumers, merchants and card issuers all have a vested interest in addressing this matter:

• Consumers: A fraud incident can be devastating, depriving individuals of their hard-earned cash. It may take years to recover from a single scam.
• Merchants: Customers may try to file chargebacks to recover their funds. This will result in revenue loss and added overhead.
• Issuers: Each fraud incident increases the institution’s ratio of fraud to legitimate transactions. This is a problem with measures like the Visa Issuer Monitoring Program in place.

Can We Do Anything to Prevent BEC?

BEC and gift card fraud is hard to mitigate. First, fraudsters target consumers, who have little understanding of the finer details of fraud. Then, once the customer hands over the gift card and the fraudster vanishes, it’s very hard to recover the money.

One option is for the customer to file a chargeback to overturn the gift card purchase. Of course, this would be a case of friendly fraud, as the customer did authorize the transaction. Rather than undoing the fraud, you’d simply transfer the burden to the merchant. Plus, as mentioned above, each chargeback attached to a fraud claim would increase the institution’s ratio of fraud to legitimate transactions.

Ultimately, the best option is to try and prevent the fraud before it occurs. This means surveying transactions for suspicious activity with greater diligence than ever before, and also putting more emphasis on securing email addresses.

Fraudsters tend to steer cardholders toward digital gift cards that can be easily resold. Apple, Amazon and Google are very popular targets. Suspicious activities should be set aside for closer review. You could even reach out to the buyer to confirm a purchase before finalizing authorization.

Gift cards are extremely popular among consumers. That’s not going to change anytime soon, and that means BEC-enabled gift card fraud isn’t going away. The best option is to know the facts and the telltale signs, so you can act appropriately.

Monica Eaton-Cardone is co-founder and COO of Chargebacks911. She can be reached at 727-461-1089 or monica@chargebacks911.com.