Gift card scams are attractive to cyber criminals for the same reasons gift cards are attractive to us, they’re relatively straightforward and simple! With Black Friday, Cyber Monday and Christmas just around the corner we wanted to highlight some of the ways cyber criminals are using gift cards in their scams and some top tips for protecting yourself against them.
It is important for us to consider the impact of COVID-19 on our spending habits, with a 50% increase in digital gift card sales since lockdown, gift cards are providing greater opportunities for cyber criminals to exploit. It is also important that we take into consideration the hardship many businesses have faced over the last few months, with many retailers promoting gift cards as a gifting option. We know that cyber criminals follow the numbers, the more we use a platform or technology the more they’ll exploit it, and gift cards are no different. Since March 2020, some gift card scams are reported to have increased by 820%.
We have seen cyber criminals using gift cards in an all manner of social engineering attacks and automated attacks. Let’s look at how these attacks work, some case studies from 2020 and some top tips for protecting yourself against them.
Gift card social engineering and data harvesting
We’ve seen a rise in gift card scams on social media over the last year. Social media enables cyber criminals to engage with a wider audience without having to be connected or have their email addresses. An interesting example of this is the Asda gift card scam seen on Facebook earlier this year.
Below you can see that the cyber criminals used official Asda branding to create their Facebook business page, they then used Facebooks Ads to turn the post into a sponsored post, which helps to seemingly legitimise the post. They have then used social engineering tricks such as placing a sense of scarcity on the number of gift cards available and incorporating emojis to help the post look more engaging.
This gift card scam was actually harvesting individuals’ data, and a lot of it. In order to claim the supposed gift card, you were asked to input your home address, mobile number, bank account details, sort code and 3-digit security number!
Gift card fraud In some cases of this social engineering attack, the criminals compromise accounts and in others they spoof email addresses, both with the aim of impersonating their target’s boss or friends. They then email the target asking them for help, and once the target has responded they ask them to purchase a gift card with the promise they’ll pay them back. Birmingham University’s staff and students were subjected to this type of scam earlier this year.
Gift card brute force This is an automated attack that involves criminals “guessing” the combinations of digits and letters used on gift cards. It can, unfortunately, be relatively straightforward in some cases, when the gift card codes follow a pattern. Once they have cracked a gift card, if funds are available the cyber criminals will purchase items or transfer funds to other cards.
Account takeover gift card attacks During this attack cyber criminals use compromised usernames and passwords to gain access to an individual’s online accounts. The cyber criminals then exchange loyalty reward points into gift cards for themselves which they then exchange into money using a gift card exchange service. Read more about loyalty card fraud here.
Top tips for protecting yourself against these four gift card attacks:
✅ If you see a social media post, email, SMS message that suggests you could receive or have received a gift card avoid clicking on any links and be aware this could be social engineering. Instead, go directly to the source (for example, the retailer’s website). ✅ Never input personal details in a gift card post you have seen on social media or email, instead go directly to the legitimate source to verify if they have sent a gift card or are advertising a gift card. ✅ If you receive a communication that you’re not expecting (whether by WhatsApp, email, phone call, SMS message or any other way) that is asking you to do something and makes you feel emotional (rushed, happy, panicked, embarrassed or anything else), be aware this could be social engineering. ✅ Ensure you have a good, strong password for your accounts. The UK National Cyber Security Centre (NCSC), recommend that you start with three well-chosen random words. For example: fogautumngoat. Be sure to then include numbers, capital letters & symbols: F0g@utuMnG0@t. ✅ Consider using a password manager to help generate and store all your passwords. Some that are commonly recommended are 1Password, Dashlane and KeePass. ✅ Ensure you have two-factor authentication on all accounts where it is available. Read our guidance on account security here. ✅ Share this advice with your family and friends. This time of year we always see a spike in gift card scams and 2020 has been challenging enough, let’s protected and empower our loved ones to recognise the red flags of a gift card scam.