Gift cards are hotter than roasted chestnuts this yule season.

Six in ten consumers have gift cards on their Christmas shopping list, according to a survey of 7,349 consumers for the National Retail Federation trade association, and retailers reckon they'll sell more than $27 billion worth this holiday season.

For many people, gift cards take the agony out of finding that perfect present. But if you're buying or receiving gift cards this year, there's a scam you should know about: The money that you or your benefactor put onto that gift card can be stolen before the intended recipient can spend it. 

"Gift cards are a big target for criminals," says Avivah Litan, security analyst for Gartner, an information technology research and advisory firm. The FBI estimates that gift card fraud losses are in the low single digits as a percentage of sales, but gift card sales run about $130 billion a year.

Here's what you need to know to protect yourself.


Go to 
Consumer Reports' 2017 Holiday Gift Guide for updates on deals, expert product reviews, insider tips on shopping, and much more. And be sure to check our Daily Gift Guide.
 

A Simple Scam

The process of stealing the money off gift cards can vary. With the simplest method, a hacker takes cards off the rack, writes down the gift cards' numbers, and scratches off the strip on the back of the cards to get the security codes. 

Once he has that information, he puts replacement strips—easily available online—over the codes and exits the store.

Later, after you buy one of those cards and load money onto it, the hacker gets an alert that tells him that the funds have been loaded onto the card.

"The crooks can see as soon as someone activates the card, because they've automated all this with software that periodically checks the card balance via the internet," says David Farquhar, a unit chief within the FBI's Criminal Investigative Division who explained the crime techniques to Consumer Reports last year.

But some gift card providers have safeguards. "If a card has not yet been sold and the number has been pinged online multiple times, the retailer will shut that card down," says Teri Llach, chief marketing officer for Blackhawk Network, a major provider of gift cards in-store and online. "The system identifies cards that may be compromised."

Laundering The Money

Because gift cards generally can't be redeemed for cash, after the crook finds cards with funds on them, he then starts a roundabout process of laundering the money.

For example, he might place an ad on a consumer-to-consumer online marketplace or auction website for an item that he doesn't actually own, say, a video game console that sells for $600 in a retail store but that he is selling for $500. When a buyer quickly snaps up that deal, the buyer sends his clean money to the fraudster.

The criminal, meanwhile, uses the dirty money loaded onto the stolen gift card to purchase the console from an online retailer, which ships the game player right to the buyer.

Botnet Attack

More sophisticated hackers skip the physical gift cards on racks in stores and go directly to the websites where consumers access their gift card balances. There, the hackers attack using botnets, networks of thousands of hijacked individual personal computers and Internet of Things (IoT) devices, which carry out automated actions.

The botnets test millions of combinations of gift card account numbers (which may follow discoverable sequencing patterns) and stolen PIN passwords to try to log into online gift card accounts that have money loaded onto them. The botnets try to avoid detection by mimicking individual human browsing behavior and blending in with a website’s genuine visitor traffic.

In one such “brute force” attack on a gift card website earlier this year, a botnet dubbed GiftGhostBot logged up to 4 million gift card balance requests per hour by testing a rolling list of potential account numbers and PINs, says Rami Essaid, CEO of Distil Networks, a company which detects and defends businesses against botnets. When the botnet finds a money balance, the hackers can sell the account number on the criminal dark web or use it to purchase goods directly.

“More than 90 percent of the login activity for online accounts set up to manage gift cards is coming from botnet attackers who want to take over accounts,” says Shuman Ghosemajumder, chief technical officer for Shape Security, another firm that defends company web and mobile applications from automated cyberattacks. Not all gift card companies use botnet defense services. 

Protect Yourself

Gift card issuers are beefing up security with more protective packaging and new back-office technology that flags suspicious activity during purchase and redemption, says the Retail Gift Card Association. But you can also protect yourself by  taking these steps: 

Buy gift cards online directly from the retailer, chain restaurant, or other issuer, says the FBI's Farquhar. Criminals don't have easy access to those cards. Buy online especially if you're purchasing a high-value gift card.

Don't buy in-store racked cards with easily accessible numbers and PINs. If you buy in a retail store, look for gift cards kept behind the counter or in well-sealed packaging. The Retail Gift Card Association advises consumers to inspect the package for tampering.

If possible, change the security code as soon as you buy the card. Register the card when you get home, change the PIN, and educate the recipient about what you did and why he or she should not delay in using the card.

Get your stolen funds back. Card issuers that use botnet defenses can detect the tiny percentage of fraudulent transactions that may slip through their net, and they may be able to distinguish between honest and fraudulent transactions on your gift card to make you whole again. So “if your card has been drained, you should call the issuer and ask for reimbursement of your stolen funds,” Essaid says.

Secure your home computer. Farquhar says criminals also gain access to your gift card numbers and PINs by hacking your computer. To help prevent that, make sure your security software is the most up-to-date version, create and use strong passwords or a password generator, and follow our 66 ways to protect your privacy