they steal credit card information from a victim, then use it to buy gift cards, then sell the gift cards at a discount.

If it’s a gift card to a store that sells physical products, they can buy things and resell them. If not, they can sell the gift card to someone else for cheaper than the store value, which is already common in online marketplaces.

They either resell the cards at a discount or buy expensive products to resell. iPad Pros are a common option. It doesn’t much matter if they lose 20-30% of the face value of the gift card. Every cent they sell for is pure profit.

These gift cards are legitimate gift cards. A website can’t tell where you acquired it from. Even if they could, blocking the transaction would only harm the customer rather than the thief. Big ticket items have purchase limits to discourage resellers, but all that really accomplishes in making them use multiple accounts.

Even when resellers are blatantly obvious in store, the corporation has no incentive to take legal action. That would be costly, and the company has already been paid. Further, the actual scammers tend to throw a few bucks to someone in a vulnerable community to do the actual purchasing. You wouldn’t stop the scam by arresting them, and the only link they have to their boss is a burner number.

In addition to the methods being mentioned, another method is by using fake apps on Google Play or the iTunes store. Using the fraudulently acquired gift cards, scammers make in-app purchases on fake apps created for the sole purpose of funneling the gift card money into a ‘legitimate’ bank account, which can then be redistributed to everyone involved with the bonus of making it look like a legitimate business

They also steal gift cards from retail, scratch off and document the codes, then replace the scratch off material with a similar sticker. Then they replace the cards on the shelf, wait for someone to buy/activate them, then swoop in and redeem the value before the rightful purchaser. They have a program that continuously polls for the codes until it pops up with credits.

There are several ways. First there is a code on the back to put money from a gift card into an account this is what they are after. They can get that code in a couple of different ways the simplest is have a mark buy the card and give them the code by convincing the mark that they should. This is done by cold calling people and telling them that you are the irs or a bank or a grandson and need to be paid in giftcards.

another way to get the code is to take cards open them up and get the codes and somehow reseal the gift card so it doesn’t look tampered with. This requires you to constantly check the codes but eventually someone buys the card it becomes active and you take the money. This can be easily defeated by checking the packaging to ensure it hasn’t been tampered with.

How the scam works:

Steal photos of expensive, high-quality product

Advertise via Facebook at $20-$30

Only accept PayPal payments, not credit cards (this is important – see later)

When a customer orders an item, send something cheap – a keyring, a pair of kids sunglasses, whatever.

When item arrives, the buyer contacts PayPal for a refund as the wrong goods were delivered.

PayPal advises that under their Ts&Cs, they will only process a refund on proof of return postage at buyer’s expense.

Buyer goes to post office and discovers that the return postage to China costs more than the original purchase cost, so to get a refund, they have to lose even more money.

Buyer abandons refund request, so PayPal takes no action against the seller.

They steal gift cards from the display rack, carefully open them, record the numbers, reseal the card envelopes and return to the store.

When you purchase the card and the store activates it, we’ll it is typically not spent right away. You have it a couple days. You mail it to your friend, they try to use it later that week or month.

So the scammers check the card numbers periodically and jump on any that have been activated.

You would think that the gift card companies would pay attention to card numbers that are checked multiple times a week.

But as for scammers that get their victims to purchase cards… that’s digital cash. That’s cash in the cloud, a code on a spreadsheet.

Some gift cards can be used to buy bitcoins. Those can then be sold for money, and the origin of the money can not be traced that way.

They buy physical products and resell them on marketplaces like FB Marketplace, eBay, and OfferUp.

Companies like Apple and Google don’t care to make it harder, because they are not at risk for losses. If someone steals your Apple gift card, Apple is out nothing.

For context, I am an IT manager. Have been for 20+ years. Last year my wife made a purchase with an Apple gift card directly through [Apple.com](http://Apple.com), but a special offer discount wasn’t applied correctly, so she contacted Apple support.

Before I go further, please understand that I audited these events. I checked her browser history, email, and phone records. I can say with 100% certainty, and with the receipts to prove it, that she did not fall prey to a spear phishing attack or any other sophisticated attack. Her email address is protected by a strong password with 2FA that is not SMS based and incorporates biometric factors. Our shit is on full lock.

She spoke with an Apple representative who attempted to correct her order, but encountered difficulty. The rep asked her for the number on her gift card, and she provided it, assuming that because this was an verified Apple rep it was safe.

The rep “tried again”, but was only able to cancel the order. The rep then exfiltrated the gift card number, and that night the balance of the gift card was used to make purchases. We were able to salvage some amount of the gift card, because the refund amount hadn’t been credited to the card yet.

I am 100% confident that the Apple rep was the attack vector, because the only three places the gift card info had been disclosed was: A) my wife’s email where it sat for months unaffected, B) the Apple website where the purchase was made, and B) the Apple phone rep.

When confronted with these details, Apple’s reply was that “We cannot comment on how the gift card information may have been disclosed, but it is our policy that we do not refund gift car purchases attributed to fraud. We are sorry, but there is nothing we can do to help you.”

That was the end of it. This was after having provided full documentation about the chain of custody and records of the phone calls.

Bottom line is that gift cars are completely unregulated, so companies can implement whatever policies they like. This means they can put the risk of fraud 100% on the consumer, and they get the full benefit of the money spent to buy the cards.

EDIT: Because this has gotten some attention, I want to add that we uncovered a way to mitigate the risk of loss, with Apple gift cars specifically, to at least some degree. If you get an Apple gift card, you should immediately transfer the balance to your Apple ID. This associates it with your account, and any refunds must be issued to your account, rather than to a gift card. It eliminates the gift card altogether. So long as you use good security practices in your email and Apple ID, you’ll be at much lower risk of theft, since there are no numbers that can be simply exfiltrated.