November 15, 2016
By Karisse Hendrick, Editor-at-Large, CardNotPresent.com
Gift cards have become the go-to holiday choice for the hard-to-shop-for family member or co-worker. E-gift cards that can be purchased, sent and redeemed immediately—increasingly on mobile devices—are even more convenient than traditional plastic gift cards. Unfortunately, fraud on e-gift cards may be more difficult to detect. If you prepare for the incoming storm of e-gift card orders and create a game plan to identify and prevent fraud, however, you may prevent a January chargeback hangover.
Understanding the Problem
According to Giftcards.com, electronic digital gift cards are the fastest-growing segment of the gift card industry, growing 29 percent annually. They are expected to make up 7 percent of the overall gift-card market by the end of 2016, accounting for more than $10 billion in sales, according to CEB/Tower Group. But, as popular as they are with consumers, they are just as popular to fraudsters. E-gifts are instant, no shipping address is needed, they can be easily transferred to others and there is demand for them in the secondary market, making them easy to monetize. With over 97 percent of all major retailers and restaurants selling their gift cards online, no company or vertical is immune to online gift card fraud.
According to a report by payments processor ACI Worldwide, across hundreds of millions of transactions, electronic gift cards have the highest fraud attempt rates of all products sold by their merchants. Between Black Friday and Christmas in 2015, 9.5 percent of all online fraud attempts were on downloadable e-gift cards. With so many holiday orders appearing risky because the shipping address does not match the billing address more often than normal, the risk of canceling a legitimate order, prompting a lost sale and unhappy customer, is greater than at any other time of year.
The Secondary Market Factor
Several secondary markets have emerged in the last few years enabling consumers to buy and sell gift cards at a discount. Some of these sites buy cards directly from consumers and resell them. Others take the form of online classifieds or auctions. Reseller sites pay sellers and charge buyers set rates for each brand that they sell. Online classified and auction sites allow sellers to set their own price which can carry deep discounts, depending on the popularity and availability of each card.
These sites enable consumers to sell gift cards from retailers at which they won’t shop, while allowing others to get a good deal on a card from their favorite store or where they are planning to make a large purchase. Having gift cards in the hands of brand-loyal consumers who will likely provide lift can be a benefit to retailers. But, a site full of willing buyers is just as attractive to fraudsters looking to monetize their ill-gotten e-gift card codes as shoppers looking for a deal. The secondary market has directly influenced fraudulent purchase attempts at several high profile retailers, according to Mark Michelon, vice president of global client services at Accertify.
“In looking at cards purchased for resale, when customer demand for a specific gift card brand rises, the fraud will go up,” Michelon says. “We also see high-dollar purchase attempts that we believe are specifically to be sold on the secondary market.”
Beyond providing an easy way to monetize fraudulently purchased gift cards, secondary markets pose an equally challenging issue for merchants. When a fraudsters uses stolen credentials to buy a gift card and the victim files a chargeback or reports it as confirmed fraud, the merchant usually retracts the remaining funds on the card to mitigate the loss. If the fraudster has sold the card to a secondary-market site to monetize his theft, chances are that the value of the card will not be there when the legitimate buyer visits the secondary site (which is now the merchant of record) and buys the card. With funds no longer available on the card, many consumers assume it’s the retailer whose name is on the gift card that must guarantee the funds on the card. It can get even more complicated when the fraudulently purchased gift card in question was purchased as a gift, adding a third “customer”: the fraudster, the secondary market buyer and the gift recipient. Many merchants are reporting this has become a customer service problem, as well as a brand issue and different merchants handle it in different ways.
Some reseller sites have a 60-day guarantee on gift card funds. In these cases, they may issue refunds once an incident has been reported and they research the situation. If the site does not offer a guarantee, consumers can attempt to obtain their funds via a chargeback to the merchant that sold the gift card. According to the chargeback rules, only the merchant of record is required to repay the consumer for the purchase of a gift card that has been frozen. If a consumer purchased a gift card directly from a fraudster via a classified ad or online auction site, those funds most likely will not be able to be recouped.
Regardless of the legal liability, consumers will place the blame on the merchant that issued the gift card. So, while merchants are not required to re-issue funds on cards sold by a secondary source, some find it necessary to preserve the perception of their brand, especially if a cardholder threatens to post their complaint on social media. Understanding the card brands’ rules on these situations and how these secondary markets handle cases of fraud can help your team create a process for when these incidents occur. Having a plan of action for customer service and the fraud team in these instances will greatly reduce any uncertainty and drama that handling these cases as one-offs can cause. Consistency and communication to the consumer that purchased the cards are key in these situations.
Identifying E-Gift Card Fraud
Merchants report two main methods of fraud targeting e-gift cards: standard credit card fraud and account takeovers. These methods are not unique to gift cards, but they can be more successful there. Standard credit card indicators of fraud include nonsensical e-mail addresses, purchaser or recipient names (ex. firstname.lastname@example.org, kjlkyudsv yugwmpal), the same purchaser and recipient name and e-mails, multiple purchase attempts on the same device ID, multiple failed purchase attempts prior to successful authorization or not customizing the gift message. Additionally, Michelon adds that Accertify has “seen fraudsters becoming more aggressive towards gift card purchases as well as all digital delivery services (with instant delivery and no shipping address required). We have seen fraudsters use the e-mail address of the legitimate cardholder to pass e-mail validation tools and hope they can drain the gift card funds or transfer the digital product before the cardholder notices the merchant e-mail confirming the purchase.”
Account takeovers using the log-in and password of a legitimate user to access their accounts enable fraudsters to bypass many standard fraud tools. Merchants that have stored value gift cards attached to customer accounts are especially susceptible because fraudsters can transfer that value to an account created by the fraudster or simply change the email address and send themselves the value in an e-gift card. In May 2015, a journalist uncovered this very situation in the Starbucks mobile app.
Account takeover attempts can be identified by tracking the number of log-in attempts on an account or when the billing information or e-mail address is changed on an account log in. It’s also a possibility when purchase behavior is occurring faster than can be performed by a human, when log-ins are originating from devices and locations inconsistent with the legitimate consumer’s history and when purchases are not consistent with a user’s previous activity. Assigning risk score to these suspicious behavior characteristics as well as studying past fraudulent orders on gift cards on your site will help to gain visibility into this behavior.
Applying Best Practices to Prevent e-Gift Card Fraud
Knowing what to look for is the first step in preventing any kind of online fraud. Studying transactions marked as “confirmed fraud” as well as the purchases that resulted in fraudulent chargebacks can provide a wealth of information that can prevent future losses. One of the biggest challenges for merchants is when a gift card program was added after establishing fraud prevention systems, or if gift card sales don’t automatically feed into a fraud management system. Also, not all payment methods or channels flow through the same system. Purchases made via alternate payment methods or through the mobile channel may not be assessed for fraud the same way. If there is a point of entry with less fraud prevention rigor, it won’t take long for the fraudsters to find it.
Requiring gift card purchases to go through the same process as all other transactions is an important step towards fraud prevention. However, it is important to have separate rules apply to these transactions, as well as their own queue. This allows specific rules to be applied to gift card transactions that may not apply to traditional products and for manual reviewers to prioritize orders that may need to be reviewed, as most e-gift card orders have been delivered to the recipient prior to being manually reviewed. Optimally, your system should include a way to suspend e-gift card codes from being delivered if the order is flagged for manual review.
Because e-gift cards feature instant delivery and have a high risk of fraud, it may make sense to assign more senior risk analysts to the gift card queue. This will lend consistency and expertise to fraud decisions on e-gift cards, maximizing the ability to cancel these transactions, while minimizing the risk of canceling legitimate transactions that may look risky. Scheduling an hour meeting once a week for these analysts to share specific tactics, risky identifiers and patterns they’re observing can add to this consistency. Remembering that e-gift cards are essentially like cash can make monitoring and canceling fraudulent gift card purchases a priority for the business and the review analysts.
Additionally, Michelon stresses the importance of having a system that can track gift card activity “from time of purchase to time of redemption,” allowing merchants visibility into activity that is fairly typical for legitimate customers, which makes outlying behavior to stand out. “If a customer buys a gift card today and redeems the gift card today, that may look more suspicious, especially when most e-card purchases during the holiday season will not be given to the recipient until the holidays,” Michelon adds that another behavior that is common among fraudsters specializing in gift cards is to transfer the funds from the original gift card number that was purchased to several cards until they feel they have masked the funds enough to resell the card. “It’s important to have visibility into the transfer history without it being a manual process to track each transfer, in order to quickly pull the fund off the final gift card once it’s identified as fraud.”
Knowing a storm may be coming can provide an opportunity to prepare. With the holidays quickly approaching, establishing a clear plan and process for identifying and preventing fraudulent gift cards while reducing the impact to legitimate gift-buyers should be a priority for any business selling gift cards online. Creating policies and processes while working with the customer service team will eliminate a lot of headaches, especially in January, when many recipients start to redeem their gift cards. Ultimately gift cards provide a large stream of revenue for businesses, can lead to new customers and create sales throughout the year, but knowing the risk to the company and creating a strategy to protect the revenue will lead to a less stressful January when fraud chargeback notices start coming in.