We often hear about organizations that are attacked and lose a LOT of money – either by paying ransom, or just via stolen property. However, a huge number of attacks are against individuals. A friend of mine, we’ll call him Jake, had the below incident happen to him just last weekend.
A couple of months ago he won a $50 gift card at a company event. He went to a big box store with it and his kids and burned off all but about $3.00 on a lot of things they didn’t need. After he made his purchase, he went home, and later decided to double check the balance, assuming it would be $3.00 since the card had not been used prior.
He entered the URL that was printed on the back of the card….*or so he thought*. When he typed in the address on his cell phone, it showed a list of “suggestions”. Because he wasn’t really paying attention, he picked one that he *thought* he had used prior to register the card. The URL he wound up with was attached to an excellent, legitimate looking site – and, of course, it prompted for the card #, CVV, and expiration date. Jake entered the correct data, and, imagine this – got an error message. He then went the website that he *should* have gone to, thinking he had mistyped something…and sure enough, there was an IMMEDIATE $2.99 charge to Google. He called me wondering what in the world had happened. I tried the site he went to (as it was saved in his browser history) – and surprise – it was no longer active.
In this instance, no big deal – he got scammed out of $3.00. But what if it had been a $100 card, or more? Multiply 2.99 by a couple of thousand and you get a really big number. Think about this – Capital One reports that the global gift card market was valued at $984.3 billion in 2023 and is expected to reach $3.09 trillion by 2030. That is a heckuva target for the bad guys….
So is it possible to get the money back? The short answer is NO – once it’s gone, it’s gone. There is no “ownership” tracking of a gift card. When it is purchased, all the user needs is the card number, CVV, and expiration date. It’s not attached to a person…that’s part of the reason bad guys try to get victims to use gift cards to pay them when they are posing as the IRS, Police, etc.
Is this fraud preventable? The reality is that the page where the data entered is a typical landing page for phishing attacks. Bad guys know that if they make the site look somewhat reasonable, people will enter information. One suggestion from Consumer Reports is to only buy gift cards online – directly from a reputable retailer. There are also reports of bad guys taking a bar code from a legitimate, purchased gift card, making copies of that bar code on official looking stickers, and then placing them on cards that hadn’t been sold yet. Someone would buy one of these cards and load it with money – guess what? That money would go to the bad guy’s card instead. In this instance, you can prevent this by buying cards that are only available from a secure location (i.e., behind a counter, etc.)
The general rule is to be aware. Ensure when typing in the URL of the card, that you are typing it EXACTLY as you should – or better yet, call the phone number that is typically printed next to the URL. Only get cards from reputable retailers and those that are in a somewhat secure location. Look for any evidence of tampering. Or, better yet, don’t use a gift card at all.
Bad guys are gonna do bad things. Stay vigilant and maintain that healthy paranoia.
© 2025, Think Like A Bad Guy. All rights reserved.