Gift cards or data theft? Ensuring safe online shopping this festive season

November 27, 2023  |  Theodoros Karasavvas

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Gift cards have become a go-to Christmas present for many people, but their dramatic rise in popularity has also unfortunately made them a prime target for hackers.

The reason why gift cards are such a popular present is because of how practical they are to use. When you’re not sure what to buy someone, gift cards present an easy and accessible way to show someone how much you appreciate them.

But don’t allow the convenience of gift cards to get the better of your judgment in regard to security. It’s easy to think that gift cards are safe from cybercriminals, but in reality, gift card fraud (also known as gift card scamming) is a very real threat not only to retailers and business owners but to everyday individuals such as yourself as well. 

Overlooking basic cybersecurity hygiene when you’re rushing to score the best deals that you can online has always been a risk you’ve taken in the past, but it also may not be a risk you can afford to take this year.

Read on to find out why and how you can prevent it. 

Why do scammers like gift cards?

Gift card fraud is a bigger problem than most people realize. In 2022, for example, FTC data revealed that nearly $230 million was lost to gift card fraud, affecting more than 48,000 people in total.

Gift cards are popular with retailers because they present a very reliable stream of revenue. But at the same time, they prevent a viable opportunity for scammers to get away with easy money because of how difficult they are to track.

Scammers like gift card cards because they are easy to break into and also because they do not have the same level of security authentication that credit or debit cards have. Most cybercriminals will steal gift card numbers online from stores offering them. They can accomplish this by using botnets that perform brute force attacks. The only thing a criminal has to do is to test thousands of different combinations of PIN and gift card numbers before hacking into a user’s account and depleting the card of its funds. 

Furthermore, once the attack is completed, there’s usually no trace of the criminal’s identity and the funds cannot be traced. And even though most gift cards have limited amounts of money loaded on them (most gift cards run between $15 to $500 at the most), when cybercriminals are running their operations on a large scale they can turn a very sizable profit. 

Cybercriminals can also monetize gift cards by illegally selling them on the dark web or other third-party websites. Some of these websites will offer the ability to convert gift cards to cash at 30%+ of the total card value, presenting an easy way to make quick money. 

In the next section, we’ll dive into the specific types of gift card fraud that can affect you. 

Types of gift card scams 

Here are the most common types of gift card scams:

Fictitious ads

In this method, cybercriminals will post fake but realistic-looking advertisements for items ‘on sale’ on ecommerce websites where they will trick users to into sharing their gift card numbers to purchase the items. Once the money has been received, the ads will disappear, and the victim will be out of luck. 

In other words, people can fall for this trick the same way they can fall for other common types of identity theft, with people being unassuming since the threat comes from a harmless source (in this case, an online gift card for the holidays).

Gift card demand

In this method, cybercriminals will send a text message or a phone call to victims posing as a law enforcement or government agency and demanding you to pay them in gift cards (Amazon, Apple, and Google Play cards are the most commonly requested). They’ll demand that you purchase the cards and then provide them the gift card information, at which point they’ll disappear instantly. 

Another strategy in this same vein is for the cybercriminal to pose as someone you know, such as your boss, manager, friend, or family member. They can find this information out by looking at your social media or LinkedIn profiles. Pretending to be the person you know, they’ll ask you to purchase a gift card for them and to send the codes over, usually coming up with a story for why you need to do so in the process. 

This is one of the most common types of gift card fraud that can affect everyday people. 

Stealing codes 

This method is where an advanced cyber attacker will hack into the online database of a gift card company to find and monitor the gift card numbers and activation codes, usually via brute force attacks as we discussed above. 

You may go to purchase a card, and then once it’s been activated, the criminal will deplete it of its funds. Then when you or the recipient of the card goes to spend it, it won’t work because there’s no longer any money on the card. 

Generated gift cards 

Other times, cybercriminals will create websites or mobile apps that claim you can generate gift card codes that are redeemable at major retailers and online stores. After you’ve ‘purchased’ the gift card, the money will be transferred to the account of the cybercriminal, and the victim will end up with nothing.

Alternatively, scammers may offer you a gift card that simply has less value than what you paid for it. If this is the case, the card is either fake or was stolen. 

How to stop gift card scams 

The number one way to stop yourself from becoming a gift card scam is to be alert. Don’t have the mindset that “it will never happen to you,” because that’s exactly the same mindset that the thousands of other victims of gift card scams initially had as well.

Make sure you never provide your personal or financial data to unsolicited phone calls, text messages, or emails of any sort. No legitimate business, government agency, or law enforcement department will ask you to provide your personal or financial data for no reason, and they certainly won’t demand you to pay for anything via gift cards. Usually, however, fraudster cards are easy to detect. 

Another great way to ensure you’re safe is to use proper document management methods and steer clear of vulnerable mainstream solutions when it comes to recording your financial data, including your gift card numbers. If the gift card ends up being a malicious tool, accessing your deeds, personal information, or even work notes is best done through a protected platform (such as an encrypted PDF) and not Google Workspace or Office 365. 

If your boss or family member asks you via text message to buy them a gift card, you can rest assured that it’s not really your boss or family member. The very fact that your ‘boss’ or ‘family member’ is texting you via a different phone number (and usually one with a completely different area code) should tell you the whole story. 

Additionally, make sure you only shop with trusted businesses or online retailers that are PCI DSS compliant, meaning that they adhere to the twelve security standards for conducting transactions as set by the Payment Card Industry Security Standards Council (PCI DSS). In a nutshell, these standards are designed to ensure the ongoing encryption and authentication of customer personal and financial data. It’s a major red flag if a business is not PCI-DSS compliant or doesn’t even have a Visa or MasterCard seal of approval. 


Gift card fraud doesn’t have to ruin your holiday season. Remember that even though gift cards may be convenient to use, they can also be convenient for cybercriminals as well since the transactions cannot be tracked. Have fun shopping for your loved ones this upcoming holiday season but be on your guard at the same time.

Share this with others

Featured resources


Insights Report

2023 AT&T Cybersecurity Insights Report: Edge Ecosystem



2023 AT&T Cybersecurity Insights Report: Edge Ecosystem

Get price Free trial