While the popularity of e-gift cards is growing, it’s also accompanied by an increase in malicious attacks with the onset of COVID-19.
Among the brands protected by PerimeterX, the company saw e-gift card attacks stay fairly steady in the e-commerce vertical, however since the COVID-19 lockdown started, it reports a skyrocketing increase of 820% in such attacks, mainly in online food delivery services.
“It is hard to fully estimate the costs of bot attacks on e-cards. There are a lot of factors in addition to the lost value of the cards: time spent by customer service teams, lost revenue from the frustrated customers, and gift card management costs,” said Deepak Patel, security evangelist at PerimeterX.
“One way to estimate would be the number of bot attacks on the largest e-commerce sites. The success rate for e-gift card attacks is in the low single digits—1% to 5%. Since e-gift card transactions amount to billions of dollars every year, we can estimate losses to be in the hundreds of millions of dollars every year,” Patel said.
E-gift cards growing in popularity
The global gift card market has grown quickly and is now valued at over $381 billion in 2020 and is expected to exceed $575 billion by the end of 2026, growing at a CAGR of 6.0% from 2021 through 2026.
According to Blackhawk Network’s State of Consumer Gift Card Preferences in 2018, 55% of consumers were interested in giving or receiving digital gift cards that can be added to a mobile app or digital wallet, 69% of millennial consumers were interested in giving and 67% interested in receiving a digital gift card. When it comes to spending, 59% of consumers said they usually spend more than the gift card value when using their gift card.
Total Retail reports 80% of consumers received a gift card during the 2019 holiday shopping season with digital gift cards making up 20% of the total. 23% of consumers said they received a digital gift card during the 2019 holidays.
The most popular gift cards these days are those from Amazon, iTunes, Walmart, Google Play, Starbucks, Home Depot, Walgreens, Sephora, Lowes, Carrefour, JD, Best Buy, Sainsbury’s, Macy’s, Virgin, and IKEA.
E-gift card fraud snapshot
PerimeterX highlights the two most common automated gift card attacks – E-gift card cracking and account takeover (ATO). In “cracking”, fraudsters use sophisticated scripts and brute force attacks to guess gift card numbers and use the funds to purchase items for transfer balances to other gift cards.
In ATOs, hackers use stolen usernames and passwords for credit cards or loyalty programs and then use the fake IDs to purchase products with stolen gift cards, redeem loyalty points, transfer balances to other accounts and cards and sell them on the Dark Web, or convert e-gift cards into cash on dedicated platforms such as cardcash.com.
Cybercriminals use the Dark Web to actively buy and sell all kinds of gift cards, in addition to usernames and passwords and the practice is proving popular for money laundering as well. Following is just one example of a Dark Web seller of stolen gift cards.
The result is consumers will also gift card value, merchant cost and time to respond to gift card fraud, negative brand impact, and reputation loss.
Recent E-gift card bot attacks
Cybercriminals are growing increasingly sophisticated and using state-of-the-art tools to attack E-gift cards. PerimeterX noted a recent attack on a top-five US retailer lasted for more than two months with tens of thousands of malicious E-gift card requests.
In another prominent case, a top-10 travel brand’s E-gift card page was attacked during a sharp, shorter duration where 99% of its website traffic for a week was malicious, overwhelming the site completely with more than 250,000 fraudulent page visits.
A third attack on the E-gift card page of a well-known food delivery service caused havoc during the coronavirus crisis as the company struggled to cope with a huge spike in business as consumers shifted their purchase patterns online. Malicious traffic during this attack ranged between 12% and 30% of total traffic.
What’s a retailer to do about bot E-gift card attacks?
Cybercriminals are increasingly sophisticated and fraudulent attacks are becoming harder to defend against.
“The e-commerce industry, which issues gift cards to engage with users and drive brand loyalty, is the primary target. E-gift cards are a good way of getting consumers to spend on a specific brand, and the typical shopper always spends more than the available card balance,” Patel added.
PerimeterX researchers say most of these attacks are conducted using botnets that are highly distributed and use multiple IP addresses, multiple ASNs, and many different devices. The result is attacks that mimic human behavior and are complicated to detect and block.
The company offers several recommendations for web or mobile application operators or owners with e-gift card programs:
- Carefully generate e-gift card numbers to protect against emulation and guesswork and vet third-party E-gift card vendors diligently.
- Pay closer attention to advanced, automated threats by monitoring E-gift card pages closely.
- Work with a partner and team to implement technology solutions to mitigate sophisticated and hard to detect e-gift card bot attacks.
LET’S CONNECT