Business email fraud makes gift card fraud even worse

Register now

The holidays are just around the corner. Retailers are getting ready for some of the most lucrative shopping weeks of the year. However, new risk sources threaten to jeopardize those profits.

By this point, most merchants are familiar—at least to some degree—with the threat posed by gift card fraud. But retailers may overlook the threat represented by compounding threat sources. To demonstrate, let’s examine the intersection of gift card fraud and an identity theft tactic known as business email compromise, or BEC.

BEC is a kind of digital wire fraud. It’s a fairly sophisticated attack method compared to other forms of identity fraud, through which a fraudster impersonates a legitimate, credentialed individual via email.
First, the hacker gains access to a company email account. The criminal uses that account to spoof the individual associated, digitally impersonating the user. In doing so, the criminal is often able to turn both employees and customers into unintentional accomplices. For instance, a fraudster could take over the email account of a management-level individual, then trick a subordinate employee into handing over sensitive customer data. The fraudster could even communicate with other parties on your behalf, which could devolve into a much broader, more public scandal.

This activity is more common than you might realize. Just a few weeks ago, the U.S. Department of Justice announced the arrest of 281 individuals as part of a global BEC fraud sting, including 74 people here in the U.S.

The U.S. Federal Bureau of Investigation identified more than 166,000 domestic and international BEC incidents between June 2016 and July 2019, resulting in roughly $26.2 billion in losses. Of course, that figure speaks only to identified cases; there could be many billions more in losses that go unreported due to embarrassment, or which are simply never identified.

BEC can also intersect with gift card fraud. It’s no secret that gift cards are a favored target for fraudsters. Gift cards have the same value as cash but are anonymous and digitally transferrable. Plus, more than half of consumers say they’re interested in buying or receiving gift cards, making them easy to resell and convert to liquid cash. One common tactic with which you may be familiar is a hacker impersonating someone from the IRS or other official organization. The fraudster emails victims, instructing them to use gift cards to pay for some made-up penalty. The fraudster then pockets the value of the gift card and vanishes.

Shockingly, tricking consumers into handing over gift cards is the goal behind two-thirds of business email compromise attacks. This translates to billions of dollars every year in illicit gift card sales.

Consumers have limited recourse for recovering their funds after a BEC attack. Generally, the only option is to turn to the bank to file a chargeback. And, while fraud did occur, this is not a legitimate use of the chargeback process, as the user still authorized the transaction. Thus, it falls under the purview of so-called friendly fraud.

Both consumers and merchants ultimately pay a considerable price for this activity. What can we do to prevent BEC-enabled gift card fraud? As a merchant, you have two key concerns: protecting your emails, and verifying your gift card buyers.

Thanks to new technological advancements, it’s now possible to impose multifactor authentication requirements on all devices that access your network. The technology remains limited, though. As a general rule, strict adherence to PCI compliance standards remains the best barrier against fraud. Requiring employees to lock all devices before stepping away, prohibiting users from sharing credentials, and enforcing strong and unique passwords, for instance, are all part of PCI compliance.

In addition to authenticating users, you can also survey your network data to review activity as well. This allows you to watch for suspicious devices or IP addresses accessing devices on the network, or suspicious emails sent via your network.

Then there’s the matter of preventing bad gift card sales. The key here is to be on the lookout for any transactions with a suspicious dollar value. A transaction involving a new buyer purchasing a high-dollar-value gift card, for example, should be subject to additional screening to determine if the sale is legitimate.

It’s not easy distinguishing business email compromise or gift card fraud; the matter becomes even more complicated when they’re compounded. But by examining the matter in multiple dimensions—as both a unified problem and as different threats in isolation—you stand a much better chance of protecting your bottom line heading into this holiday season and beyond.

For reprint and licensing requests for this article, click here.
Payment fraud Retailers Risk ISO and agent