The holiday season is an exciting time of year, bringing together family, friends, and lots of celebration. However, this time of year also presents a significant danger for individuals and organizations due to the increased prevalence of scamming and phishing activity. Cybercriminals are more active during the holiday season, as they recognize consumers may be more susceptible to social engineering tactics due to the high demand for holiday shopping.
Our research team at Bolster has even discovered a USPS phishing scam targeting shoppers and retailers this holiday season. This attack uses typosquat domains mimicking big brands to deceive users into entering their credit card information, addresses, and other PII, all because they think USPS is unable to deliver a package they ordered. While this might not be a persuasive tactic any other month out of the year, during December most consumers are utilizing online shopping and package delivery systems more heavily.
One of the most prevalent forms of holiday scams is phishing attempts. With the high volume of online shopping that occurs during this time, cybercriminals can easily send fake emails that appear to come from legitimate retailers, offering deals that are too good to be true. Once the victim clicks on the link contained in the email, their personal information and payment details are compromised, leaving them vulnerable to identity theft and financial fraud.
Gift card scams have also become increasingly prevalent in recent years, presenting a significant threat to both consumers and businesses. These scams exploit the popularity and convenience of gift cards, making them an easy target for unsuspecting individuals.
The Rise of Gift Card Scams
One reason gift card scams are so successful is because they play on people’s emotions and desires. Scammers often pose as legitimate organizations, such as government agencies, tech support, human resources, or even someone in your personal life, convincing victims that they are receiving a gift card, or even need to purchase gift cards as payment for debts, fees, or services. The urgency and emotional manipulation used in these scams can cloud judgment and prompt individuals to act quickly without questioning the legitimacy of the request.
Additionally, gift card scams are appealing because they offer anonymity for scammers. Gift cards are essentially equivalent to cash and do not require identification or personal information for activation. This allows scammers to receive payment without leaving a trace, making it difficult for law enforcement to track them down or for victims to recover their funds.
Gift card scams are continuing to grow in popularity, and the criminals continue to target well-known brands and unsuspecting consumers as they shop this holiday season. We’ve compiled an example of gift card scams from prior years, including ones targeting Apple’s line of Gift Cards.
The Apple gift card scam
The site below leverages a typosquat attack and uses a URL that looks like an authentic Apple gift card and could easily fool somebody looking to check their gift card balance.
The user is prompted to enter their gift card number to check their balance. Once they do, the site either hangs indefinitely or shows an error message. In some cases, it displays an invalid number message. Unfortunately for the user, if they get this far, it’s already too late. The criminal has the gift card number and has either sold it on a gift card exchange or used it to make a purchase of their own.
Apple’s gift cards are likely to be a popular gift during the holiday season given the company’s slate of new products launched every year. In 2020, Bolster Research found 1,645 phishing or scam Apple sites, and over 10,000 suspicious URLs that include the word “apple”, highlighting the true scam attacks targeting the big brand.
The sites were hosted on a number of top level domains (TLDs), which demonstrates the problem companies have continued to face as more TLDs are created every year. The traditional defensive method of proactive domain registrations is economically unfeasible given that a six letter domain results in 1,200 variations.
The Rise in Gift Card Scam Popularity
Gift cards are one of most popular gifting options for the holidays, especially as e-gift cards are now available by most major retailers including Amazon, Target and Best Buy. Cyber criminals have taken notice of the popularity in gift cards, and are launching specific online campaigns targeting them.
Bolster research has tracked giftcard scams in the past, and continues to notice a sharp rise in gift card scams as cyber criminals launch tactics to take advantage of the giving season, including:
- “Check your gift card balance” scams
These sites offer to help you check the balance of your gift cards but steal gift card numbers from consumers. - Survey scams with gift card offer
These sites offer bogus free gift cards for completing surveys, which are used to collect personal information which is sold for profit.
Breaking down the “check your gift card balance” scam
Target experienced a dramatic increase in e-commerce sales during the pandemic in 2020 and beyond. In August of 2020, the company announced that its digital sales tripled with online purchases and curbside pickup jumped by more than 700%(3). Not surprisingly, Target gift cards are one of the more popular online scams that year, as discovered by Bolster Research.
The screenshot below illustrates a fraudulent Target gift card balance checker site. The layout, text and colors are identical to the authentic Target gift card balance checking site, which can be viewed here. Unsuspecting users can easily be tricked to enter their gift card numbers. Once they enter the number, the site displays a never ending “checking balance” status or some sort of error misleading users into thinking the site is malfunctioning. In reality, the valid gift card numbers are harvested by the criminals and monetized by either reselling them on other sites or using them to make purchases.
Though the criminals went to a lot of effort to make this appear authentic, there are signs that this is not a legitimate Target site.
- None of the other URLs work. Clicking on the links to sign in, search store locations, or look at the weekly ads don’t function. The reason is because criminals do not want their victims to leave the scam site. Linking to the real Target site would allow the users to go to leave the site before entering their gift card numbers.
- The URL utilizes a typosquatting attack, utilizing a carefully chosen URL to trick users into believing it is an authentic Target site. The wording is slightly awkward with “…giftScard.com” but this could be easily overlooked. Target does seem to own “…giftcard.com” and “…giftcards.com.” These have been preemptively registered to prevent this type of attack. However, this scam site shows the limitations of preemptive domain registration as a defensive strategy. Bolster Research has an in-depth report that discusses the challenges of fighting typosquatting attacks and the limitations of preemptive domain registration.
More in-depth analysis, that would be typically beyond the technical abilities of the average consumer, confirms that this is not a legitimate Target site.
- The domain is registered to an entity in the state of Delhi, India. Target is a US-based company and would not register their domains in India.
- The site is hosted in Singapore through GoDaddy.com. GoDaddy is a consumer and small business service that is not used by large companies to host sites. Unless serving a foreign market, US companies host their sites in the US for the best user experience.
- The IP address has been used for phishing sites in the past. This data is available on Bolster’s free community service Checkphish.ai.
- The IP address is shared with other non-Target Indian business sites such as www.megabooster[.]in. Large multinational corporations like Target use their own IP addresses and do not share them with other sites.
Bolster Research also found other Target gift card scam sites that are less sophisticated and have a lower probability of tricking users. The official Target logos and colors are not used, and the text reads as the writer learned English as a second language.
The main image looks like it is the inside of a Target store. What is interesting, however, is that by avoiding the use of Target’s official logo, this site is more likely to evade detection. Most brand protection companies rely on the use of logos. Bolster discovered this site because its AI-driven platform combines highly accurate computer vision and natural language processing to assess the intent of the site, similar to how a human being would assess the site.
Analyzing the gift card survey scam
Gift card survey scams are also becoming more prolific in recent years. These sites claim they can check for unused gift card codes. They offer these for free to users if they take the time to fill out a short survey. The purpose of these sites appears to be the collection of personal and demographic information that they will sell to companies or others that find this information useful.
The URL pattern for the majority of these scams is consistent, and follows the template of https://[fake domain]/free-[brand name].html.
For example, the URLs below are examples of fake survey sites that look and operate exactly the same except for the gift card brand being offered:
- https://liveoffer.online/free-aliexpress-gift-cards[.]html
- https://liveoffer.online/free-bathandbody-gift-cards[.]html
- https://gamer007.club/free-forever21-gift-cards[.]html
- https://wepromocode.com/free-amazon-gift-cards[.]html
- https://promohub.xyz/free-google-play-gift-cards[.]html
- http://real-giveaway.com/giftcard/free-hbo-gift-cards[.]html
At face value, these survey scams seem overly simple, but the scam site itself is very sophisticated and masterfully creates a sense of urgency to keep unsuspecting victims engaged. Once a gift card amount is selected, the site displays visuals designed to make the victim believe that a database search is occurring as in the screenshot below. The database search results in a success, and a partial gift card code is revealed.
With the victim hooked, the site then proceeds to ask a series of survey questions to gather information such as name, address, phone number and date of birth. The survey continues to ask questions about spending habits, car insurance information, healthcare preferences, among other things. During the survey, the victim is required to explicitly opt-in to receive calls and text messages, even if they are listed on the federal or state do not call registry.
Unfortunately for the user, there is no gift card at the end of the survey. What actually happens is an endless set of surveys that cover more and more preferences and demographic details. The victim is constantly encouraged to take one more survey for a chance to win another gift card. It is obvious that the site was created by someone with an understanding of human psychology and gamification to encourage victims to reveal more and more personal information.
How to Avoid Gift Card Scams
As cyber criminals ramp up gift card scams this holiday season, there is a good chance the average shopper will come across one of these campaigns. You might also receive a gift card as a present and unknowingly become a target for one of these scams. Shoppers can stay safe and avoid becoming a victim of these scams by following these helpful tips:
- Always use the retailer’s site to check gift card balances. All retailers who offer gift cards have pages on their websites that allow shoppers to check gift card balances. Avoid checking your gift card balance on third party sites.
- Go to a site by typing the retailer’s URL directly. Do not use a search engine such as Google to find a gift card balance checker page. Scammers are known to deploy search engine optimization tactics to rank high on search engine queries to lure unsuspecting victims. Using a search engine could cause you to go to a fake URL that closely resembles the real site.
- Remember there are no free gift cards. Though it is tempting to believe that today is your lucky day, nobody gives out free $50 gift cards for a few minutes of your time. The logic is impossible.
Bolster works with some of the largest brands to protect their users and customers from online phishing and fraud scams such as gift card scams. If you would like to learn more about how Bolster’s AI platform uses trained LLM technology to identify and remove gift card scams targeting your customers, please contact us.
