Step one: Use stolen credit card information to buy a boatload of gift cards. Step two: Try to sell those gift cards online for millions of dollars without getting caught.
If there's one way that criminals love to use your stolen credit card information, it's to rush out and buy a pile of gift cards for popular retailers like Walmart, Target and Amazon. Gift cards are easy to spend or sell and notoriously difficult to track.
However, as it turns out, that anonymity goes out of the window when you pull out a computer to sell those gift cards online. In a recent scheme described in a previously unreported federal court case, some person or persons based in Florida bought 45,000 gift cards for Walmart and other stores with stolen card info and then sold them on gift card exchange site Raise.com. The gift cards' face value ranged from $2 to $2,000 each and were sold for a total of $9 million on Raise.
The wrinkle? Authorities got onto the scam while it was still ongoing. Raise was tipped off by federal prosecutors and asked to keep the fraudsters' account open, Raise CEO George Bousis told Forbes, whose company has facilitated the sale of almost $1 billion in gift cards since it was founded in 2013.
"It's ridiculous. We have your social security number, IP address, all your bank information," says Bousis, referencing some of the information you have to enter in order to sell gift cards in bulk on his site. "I'm not sure how some of these people think they're going to get away with it."
In recent years, sites like Raise, Gift Card Granny and CardCash have popped up to facilitate the inevitable offloading of unwanted gift cards. (Some $91 billion will likely be added onto gift cards in the U.S. this year, according to Mercator Advisory Group.) To reduce fraud, Raise and other sites require extensive information from sellers and give a 100-day guarantee to buyers.
This has helped keep criminals at bay, even as they are increasingly flocking to gift cards to launder money, drawn largely by their difficultly to track.
The misuse of gift cards has escalated in the wake of high-profile hacks at Home Depot, Target and other retailers, which has put legions of credit card information in unsavory hands. The card data can be replicated on a physical credit card in a fashion that's similar to creating fake IDs for underage drinkers. Then accomplices holding those fake cards march into stores, use them to scoop up gift cards and sell the ill-gotten cards at pawn shops or mall kiosks.
"The real world of liquidating gift cards is face to face," says T. Jack Williams, president of ERAD Group, which equips police with a device to read prepaid cards and freeze or seize the assets. "Criminals don't like the online guys because they're not getting cash and they're leaving a trail."
The scheme out of Florida is a good example of what not to do. The investigation, spearheaded by the feds, ultimately relied on cooperation from some of the world's biggest retailers, banks and media companies.
Take Walmart, which sold $1.3 million in gift cards to the fraudster and was tasked with reviewing a sampling of them. It found that 200 cards were purchased at Walmart stores across the country. The majority of the credit and debit cards that were used, according to the banks, were ultimately closed due to fraudulent activity traced back to Walmart.
Authorities were then able to go to Raise to see how the scheme generated $7.5 million in proceeds (down from $9 million after the company took its fees and commissions), which was funneled into bank accounts, including ones held at Citi and Wells Fargo. This money was withdrawn, in cash, within a matter of days.
Raise provided the IP address associated with the account to help track down the fraudster. It was linked to Comcast, which, under subpoena, provided customer records that contained a street address. Prosecutors visited the address and seized $442,081 in cash. The defendant was seen making a getaway and "exiting that location with a black briefcase," according to court documents.
Unfortunately, it typically isn't this easy to follow the money. Once a gift card leaves the store, that's usually the end of the story, which poses a unique challenge to law enforcement. “Had the 9/11 terrorists used prepaid (stored-value) cards to cover their expenses, none of these financial footprints would have been available,” observed a U.S. Treasury Department report. The IRS has declared prepaid cards "the currency of criminals."
In order to prevent this type of fraud, many retailers are tightening their sales policies. At Walmart, you must show identification for gift card purchases of $5,000 or more, according to a spokesperson, and store managers have the authority to halt a transaction at any point. In 2014, drugstore chain CVS began requiring identification for $300 or more in gift card purchases; it also won't let you walk out of the store with more than $2,000 in gift cards in a given day.
"We have seen significant progress in this area over the years," says Carol Van Cleef, a lawyer at BakerHostetler who specializes in anti-money laundering in the prepaid card space.
The controls that have been put in place by Walmart and CVS go beyond what the law requires. Under the Bank Secrecy Act, a company that sells more than $10,000 in gift cards in a day to a single person paying in cash must file a currency transaction report with the federal government's Financial Crimes Enforcement Network. However there are no requirements for reporting purchases made with a credit card, including those made online.
Retailers, of course, want to sell as many gift cards as possible. They also want to keep regular customers happy. "There's always going to be concern about how to keep the lines moving but adequately protect ourselves," says Van Cleef.
For now, banks are the ones that lose out when things head south. When you call your credit card issuer and tell them about fraudulent activity on your card, they are the ones to make you whole. The rules vary if you're using a debit card, but if you report the fraud right away, you should be covered. "Issuers are losing billions of dollars," says Williams. "It's an epidemic."