How do scammers extract money from gift cards? Why can’t companies stop them? #GiftCardScams #ScamTechniquesExplained
Have you ever wondered what scammers do with the gift cards they receive, like iTunes cards? How do they manage to get money out of them, and why are companies like Apple and Google not able to prevent this? #CuriousAboutGiftCardScams
**Understanding Gift Card Scams**
– **Techniques Used By Scammers**
– **Challenges Faced by Companies**
– **Preventing Gift Card Scams**
they steal credit card information from a victim, then use it to buy gift cards, then sell the gift cards at a discount.
If it’s a gift card to a store that sells physical products, they can buy things and resell them. If not, they can sell the gift card to someone else for cheaper than the store value, which is already common in online marketplaces.
In addition to the methods being mentioned, another method is by using fake apps on Google Play or the iTunes store. Using the fraudulently acquired gift cards, scammers make in-app purchases on fake apps created for the sole purpose of funneling the gift card money into a ‘legitimate’ bank account, which can then be redistributed to everyone involved with the bonus of making it look like a legitimate business
They either resell the cards at a discount or buy expensive products to resell. iPad Pros are a common option. It doesn’t much matter if they lose 20-30% of the face value of the gift card. Every cent they sell for is pure profit.
These gift cards are legitimate gift cards. A website can’t tell where you acquired it from. Even if they could, blocking the transaction would only harm the customer rather than the thief. Big ticket items have purchase limits to discourage resellers, but all that really accomplishes in making them use multiple accounts.
Even when resellers are blatantly obvious in store, the corporation has no incentive to take legal action. That would be costly, and the company has already been paid. Further, the actual scammers tend to throw a few bucks to someone in a vulnerable community to do the actual purchasing. You wouldn’t stop the scam by arresting them, and the only link they have to their boss is a burner number.
They also steal gift cards from retail, scratch off and document the codes, then replace the scratch off material with a similar sticker. Then they replace the cards on the shelf, wait for someone to buy/activate them, then swoop in and redeem the value before the rightful purchaser. They have a program that continuously polls for the codes until it pops up with credits.
There are several ways. First there is a code on the back to put money from a gift card into an account this is what they are after. They can get that code in a couple of different ways the simplest is have a mark buy the card and give them the code by convincing the mark that they should. This is done by cold calling people and telling them that you are the irs or a bank or a grandson and need to be paid in giftcards.
another way to get the code is to take cards open them up and get the codes and somehow reseal the gift card so it doesn’t look tampered with. This requires you to constantly check the codes but eventually someone buys the card it becomes active and you take the money. This can be easily defeated by checking the packaging to ensure it hasn’t been tampered with.
They steal gift cards from the display rack, carefully open them, record the numbers, reseal the card envelopes and return to the store.
When you purchase the card and the store activates it, we’ll it is typically not spent right away. You have it a couple days. You mail it to your friend, they try to use it later that week or month.
So the scammers check the card numbers periodically and jump on any that have been activated.
You would think that the gift card companies would pay attention to card numbers that are checked multiple times a week.
But as for scammers that get their victims to purchase cards… that’s digital cash. That’s cash in the cloud, a code on a spreadsheet.
How the scam works:
Steal photos of expensive, high-quality product
Advertise via Facebook at $20-$30
Only accept PayPal payments, not credit cards (this is important – see later)
When a customer orders an item, send something cheap – a keyring, a pair of kids sunglasses, whatever.
When item arrives, the buyer contacts PayPal for a refund as the wrong goods were delivered.
PayPal advises that under their Ts&Cs, they will only process a refund on proof of return postage at buyer’s expense.
Buyer goes to post office and discovers that the return postage to China costs more than the original purchase cost, so to get a refund, they have to lose even more money.
Buyer abandons refund request, so PayPal takes no action against the seller.
Some gift cards can be used to buy bitcoins. Those can then be sold for money, and the origin of the money can not be traced that way.
The way they get them at first is steal them before activation, record the card number and key, then apply a replacement cover for the key, take those cards to the store and place them on the rack. Monitoring of those numbers via the check balance pages begins.
The customer buys the card and activates it, eventually (unless the customer spends it first) the other party will see the money is present, then go to buy other gift cards from safe sources. Those cards are then listed on various places for sale.
Whenever you see a third party selling gift cards at a discount it’s usually one of a few things. 1) A thief like noted earlier, 2) Grey markets, but this is more for software and games than currency cards, 3) Someone trying to make a store discount work at scale, similar to Target giving a discount if you buy using your target card.
They buy physical products and resell them on marketplaces like FB Marketplace, eBay, and OfferUp.
Companies like Apple and Google don’t care to make it harder, because they are not at risk for losses. If someone steals your Apple gift card, Apple is out nothing.
For context, I am an IT manager. Have been for 20+ years. Last year my wife made a purchase with an Apple gift card directly through [Apple.com](http://Apple.com), but a special offer discount wasn’t applied correctly, so she contacted Apple support.
Before I go further, please understand that I audited these events. I checked her browser history, email, and phone records. I can say with 100% certainty, and with the receipts to prove it, that she did not fall prey to a spear phishing attack or any other sophisticated attack. Her email address is protected by a strong password with 2FA that is not SMS based and incorporates biometric factors. Our shit is on full lock.
She spoke with an Apple representative who attempted to correct her order, but encountered difficulty. The rep asked her for the number on her gift card, and she provided it, assuming that because this was an verified Apple rep it was safe.
The rep “tried again”, but was only able to cancel the order. The rep then exfiltrated the gift card number, and that night the balance of the gift card was used to make purchases. We were able to salvage some amount of the gift card, because the refund amount hadn’t been credited to the card yet.
I am 100% confident that the Apple rep was the attack vector, because the only three places the gift card info had been disclosed was: A) my wife’s email where it sat for months unaffected, B) the Apple website where the purchase was made, and B) the Apple phone rep.
When confronted with these details, Apple’s reply was that “We cannot comment on how the gift card information may have been disclosed, but it is our policy that we do not refund gift car purchases attributed to fraud. We are sorry, but there is nothing we can do to help you.”
That was the end of it. This was after having provided full documentation about the chain of custody and records of the phone calls.
Bottom line is that gift cars are completely unregulated, so companies can implement whatever policies they like. This means they can put the risk of fraud 100% on the consumer, and they get the full benefit of the money spent to buy the cards.
EDIT: Because this has gotten some attention, I want to add that we uncovered a way to mitigate the risk of loss, with Apple gift cars specifically, to at least some degree. If you get an Apple gift card, you should immediately transfer the balance to your Apple ID. This associates it with your account, and any refunds must be issued to your account, rather than to a gift card. It eliminates the gift card altogether. So long as you use good security practices in your email and Apple ID, you’ll be at much lower risk of theft, since there are no numbers that can be simply exfiltrated.
You can sell gift cards online – there’s a few websites that do it. Nothing shady. You just type in the gift card info and they send you money in exchange, while taking a percentage. If you have a $50 gift card, you’ll probably get like $40 of it in cash. It’s legit – I’ve had to do it a few times when I was in a pinch 🤷
They have gift cards. They buy high value, easy to resell items with those gift cards (expensive electronics, etc) and sell them for deep discounts to launder the money. Or just cash them out on gift card resale/trade sites.
Its why if you see someone selling “brand new” iphones, macbooks, whatever on craigslist for an obscenely low price, it’s a scam. The items may be legit, but they’re selling so cheap because they’re laundering money. Lot of “work from home and make easy money” scam jobs too where they hire unwitting people to act as shipping intermediaries to help legitimize their online sales (i.e. it’s now coming from a US based address in the suburbs instead of some third world country.)
Doesn’t matter that they’re immediately losing like 50% of the gift card “value” because it’s all raw profit anyway.
I honestly wonder if this is where some of the “cash prizes” come from in those scammy play to win Android “games.”
You might find [this article from ProPublica](https://www.propublica.org/article/walmart-financial-services-became-fraud-magnet-gift-cards-money-laundering) very interesting and informative.
If we reduce your question to “why can’t companies reduce their sales to help random people avoid being scammed”, the answer becomes more obvious.
As to how they convert the gift cards to cash, there are websites that specifically do this. There are completely legitimate “exchange” websites where you can exchange your gift cards for other gift cards or for just a cash value. As an aside, you can use this too if gram gram got you a gift cards for a store you would never go to, but you want the cash.
Some of the value of the card is lost, like let’s say you can sell a $50 Amazon gift card for $45 cash. The less desire the gift card the less money you’re going to get for it.
You just need the gift card number, so that’s why scammers tend to gravitate to using them. Simply sending them the gc number is basically the same as instantly sending the cash, right over a phone call or text message. They don’t need the physical card, they just need the numbers. And gift cards are basically the same as cash anyway. Nice and anonymous
Companies could *definitely* stop them but it would cost money and share holders don’t like that.
For apple store and Google play gift cards, they’ll have a fake app or game on the app stores for $5-$50 with a bunch of in-app purchases. They’ll then use the gift cards to buy those apps and in-app purchases where the money will be put into an actual bank account that they control. Or they’ll make a song or album and put it on the applestore and what used to be the Google music store and just buy that over and over again. No one will care about some music that came from a small country with no internationally recognized artists or bands.
For stores like Dicks, Macy’s, box-stores or items that you can ship in a card board box across the country or internationally, they’ll buy actual merchandise with them and sell them on Etsy or ebay or elsewhere.
Last is they’ll just sell the numbers online for cheaper than what it’s worth. They didn’t buy them so whatever they make on them is pure profit. Say your grandma sent them a gift card for $500. They’ll sell the code online for $200 and male $200 off of it.
None of the businesses that sold the gift cards care because they already received them when the scammed person bought them, so it doesn’t cost apple, Google, Macy’s, Dicks any money at all.