I was discussing different scam techniques I have heard of/seen with my husband the other day. I wondered out loud… “what do these guys do with iTunes or whichever gift cards they get?” Obviously they are not shopping at the Apple Store?
He said they have a way to get the money out of them, but didn’t know how it worked. I assume he’s right… now I am curious how does this happen, and why can’t apple or google make it harder for the scammers to use their gift cards?
EDIT – lots of good explanations! I was talking specifically about gift card scammers who convince their victims over phone/email/text to purchase gift cards and send them the activated codes. TIL there are many ways to use gift cards to scam ppl.
In: Technology
They buy physical products and resell them on marketplaces like FB Marketplace, eBay, and OfferUp.
Companies like Apple and Google don’t care to make it harder, because they are not at risk for losses. If someone steals your Apple gift card, Apple is out nothing.
For context, I am an IT manager. Have been for 20+ years. Last year my wife made a purchase with an Apple gift card directly through [Apple.com](http://Apple.com), but a special offer discount wasn’t applied correctly, so she contacted Apple support.
Before I go further, please understand that I audited these events. I checked her browser history, email, and phone records. I can say with 100% certainty, and with the receipts to prove it, that she did not fall prey to a spear phishing attack or any other sophisticated attack. Her email address is protected by a strong password with 2FA that is not SMS based and incorporates biometric factors. Our shit is on full lock.
She spoke with an Apple representative who attempted to correct her order, but encountered difficulty. The rep asked her for the number on her gift card, and she provided it, assuming that because this was an verified Apple rep it was safe.
The rep “tried again”, but was only able to cancel the order. The rep then exfiltrated the gift card number, and that night the balance of the gift card was used to make purchases. We were able to salvage some amount of the gift card, because the refund amount hadn’t been credited to the card yet.
I am 100% confident that the Apple rep was the attack vector, because the only three places the gift card info had been disclosed was: A) my wife’s email where it sat for months unaffected, B) the Apple website where the purchase was made, and B) the Apple phone rep.
When confronted with these details, Apple’s reply was that “We cannot comment on how the gift card information may have been disclosed, but it is our policy that we do not refund gift car purchases attributed to fraud. We are sorry, but there is nothing we can do to help you.”
That was the end of it. This was after having provided full documentation about the chain of custody and records of the phone calls.
Bottom line is that gift cars are completely unregulated, so companies can implement whatever policies they like. This means they can put the risk of fraud 100% on the consumer, and they get the full benefit of the money spent to buy the cards.
EDIT: Because this has gotten some attention, I want to add that we uncovered a way to mitigate the risk of loss, with Apple gift cars specifically, to at least some degree. If you get an Apple gift card, you should immediately transfer the balance to your Apple ID. This associates it with your account, and any refunds must be issued to your account, rather than to a gift card. It eliminates the gift card altogether. So long as you use good security practices in your email and Apple ID, you’ll be at much lower risk of theft, since there are no numbers that can be simply exfiltrated.
Latest Answers